Edit report at http://bugs.php.net/bug.php?id=50987&edit=1
ID: 50987 Comment by: geiss...@php.net Reported by: geissert at debian dot org Summary: unaligned memory access in phar.c Status: Open Type: Bug Package: PHAR related Operating System: linux ia64 PHP Version: 5.3.1 New Comment: Any reason for not applying the patch? cheers Previous Comments: ------------------------------------------------------------------------ [2010-02-10 20:32:10] geissert at debian dot org The phar one was found while building the extension itself (the call to php in ext/phar/Makefile.frag to generate phar.php.) There are probably more, but still have to process them. In the meanwhile, here's another (found while unpacking pear): @@ -512,7 +512,7 @@ void phar_entry_remove(phar_entry_data * (buffer) += 2 #else # define PHAR_GET_32(buffer, var) \ - var = *(php_uint32*)(buffer); \ + memcpy(&var, buffer, sizeof(var)); \ buffer += 4 # define PHAR_GET_16(buffer, var) \ var = *(php_uint16*)(buffer); \ As for CFLAGS: -O2 -Wall -fsigned-char -fno-strict-aliasing -g -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security Should be easy for you to find them by running the test suite under prctl --unaligned=signal (all the phar tests will fail.) That's how I found them all (I can provide the name of the tests that failed in a moment, I'm rebuilding with the patches I already provided.) ------------------------------------------------------------------------ [2010-02-10 20:05:21] paj...@php.net hi, Can you provide test cases for these crashes please? As well as your settings (CFLAGS&co) as I can't see crashes on IA64 here (or other 64bit platforms). Same applies for your other reports :) Thanks for your feedback! ------------------------------------------------------------------------ [2010-02-10 07:27:23] geissert at debian dot org Description: ------------ There's an unaligned memory access in ext/phar/phar.c's phar_set_32 function. The following patch fixes it: --- php.orig/ext/phar/phar.c +++ php/ext/phar/phar.c @@ -2491,7 +2491,7 @@ static inline void phar_set_32(char *buf *((buffer) + 1) = (unsigned char) (((var) >> 8) & 0xFF); *((buffer) + 0) = (unsigned char) ((var) & 0xFF); #else - *(php_uint32 *)(buffer) = (php_uint32)(var); + memcpy(buffer, &var, sizeof(var)); #endif } /* }}} */ ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=50987&edit=1