From: dhiru dot kholia at gmail dot com Operating system: Fedora 19 PHP version: 5.5.3 Package: Reproducible crash Bug Type: Bug Bug description:stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
Description: ------------ Summary : stack-buffer-overflow exists in DateTimeZone stuff which was caught by AddressSanitizer. I am using Fedora 19's GCC which supports AddressSanitizer. 1. Download and extract php-5.5.3.tar.xz 2. Configure build flags, export CFLAGS="-fsanitize=address -O2 -ggdb" export LDFLAGS="-fsanitize=address" 3. Build PHP as usual using "make". 4. Running ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php crashes with, *** Testing clone on DateTime objects *** ================================================================= ==4551== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff0209a9d7 ... READ of size 1 at 0x7fff0209a9d7 thread T0 #0 0xba7a1d in _zend_hash_add_or_update /scratch/php-5.5.3/Zend/zend_hash.c:261 #1 0x43bcb8 in date_object_get_properties_timezone /scratch/php-5.5.3/ext/date/php_date.c:2308 #2 0x9d8594 in php_var_dump /scratch/php-5.5.3/ext/standard/var.c:129 (discriminator 1) #3 0x9d8f1b in zif_var_dump /scratch/php-5.5.3/ext/standard/var.c:183 (discriminator 2) #4 0xdf048c in zend_do_fcall_common_helper_SPEC /scratch/php-5.5.3/Zend/zend_vm_execute.h:543 #5 0xc01a9f in execute_ex /scratch/php-5.5.3/Zend/zend_vm_execute.h:356 #6 0xb8394e in zend_execute_scripts /scratch/php-5.5.3/Zend/zend.c:1316 #7 0xa5b2d4 in php_execute_script /scratch/php-5.5.3/main/main.c:2484 #8 0xdf4ff1 in do_cli /scratch/php-5.5.3/sapi/cli/php_cli.c:994 #9 0x434deb in main /scratch/php-5.5.3/sapi/cli/php_cli.c:1378 #10 0x386b021b74 in ?? ??:0 #11 0x435388 in _start ??:? Test script: --------------- $ ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php -- Edit bug report at https://bugs.php.net/bug.php?id=65564&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65564&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=65564&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65564&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65564&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65564&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65564&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65564&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65564&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65564&r=support Expected behavior: https://bugs.php.net/fix.php?id=65564&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65564&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65564&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65564&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65564&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65564&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65564&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65564&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65564&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65564&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65564&r=mysqlcfg