#50987 [Com]: unaligned memory access in phar.c

Wed, 10 Feb 2010 12:32:21 -0800 

 ID:               50987
 Comment by:       geissert at debian dot org
 Reported By:      geissert at debian dot org
 Status:           Feedback
 Bug Type:         PHAR related
 Operating System: linux ia64
 PHP Version:      5.3.1
 New Comment:

The phar one was found while building the extension itself (the call to
php in ext/phar/Makefile.frag to generate phar.php.)

There are probably more, but still have to process them. In the
meanwhile, here's another (found while unpacking pear):

@@ -512,7 +512,7 @@ void phar_entry_remove(phar_entry_data *
        (buffer) += 2
 #else
 # define PHAR_GET_32(buffer, var) \
-       var = *(php_uint32*)(buffer); \
+       memcpy(&var, buffer, sizeof(var)); \
        buffer += 4
 # define PHAR_GET_16(buffer, var) \
        var = *(php_uint16*)(buffer); \

As for CFLAGS: -O2 -Wall -fsigned-char -fno-strict-aliasing -g
-D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Should be easy for you to find them by running the test suite under
prctl --unaligned=signal (all the phar tests will fail.) That's how I
found them all (I can provide the name of the tests that failed in a
moment, I'm rebuilding with the patches I already provided.)


Previous Comments:
------------------------------------------------------------------------

[2010-02-10 20:05:21] paj...@php.net

hi,

Can you provide test cases for these crashes please? As well as your
settings (CFLAGS&co) as I can't see crashes on IA64 here (or other 64bit
platforms). Same applies for your other reports :)

Thanks for your feedback!

------------------------------------------------------------------------

[2010-02-10 07:27:23] geissert at debian dot org

Description:
------------
There's an unaligned memory access in ext/phar/phar.c's phar_set_32
function.

The following patch fixes it:

--- php.orig/ext/phar/phar.c
+++ php/ext/phar/phar.c
@@ -2491,7 +2491,7 @@ static inline void phar_set_32(char *buf
        *((buffer) + 1) = (unsigned char) (((var) >> 8) & 0xFF);
        *((buffer) + 0) = (unsigned char) ((var) & 0xFF);
 #else
-       *(php_uint32 *)(buffer) = (php_uint32)(var);
+       memcpy(buffer, &var, sizeof(var));
 #endif
 } /* }}} */




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=50987&edit=1

Reply via email to