Bug #65564 [Asn->Csd]: stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

remi Fri, 30 Aug 2013 01:48:09 -0700

Edit report at https://bugs.php.net/bug.php?id=65564&edit=1


 ID:                 65564
 Updated by:         r...@php.net
 Reported by:        dhiru dot kholia at gmail dot com
 Summary:            stack-buffer-overflow in DateTimeZone stuff caught
                     by AddressSanitizer
-Status:             Assigned
+Status:             Closed
 Type:               Bug
 Package:            Date/time related
 Operating System:   Fedora 19
 PHP Version:        5.5.3
 Assigned To:        remi
 Block user comment: N
 Private report:     N

 New Comment:

Automatic comment on behalf of remi
Revision: 
http://git.php.net/?p=php-src.git;a=commit;h=d69513afecf3d82c6bfba35ef1634b3b7c377d87
Log: Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by 
AddressSanitizer


Previous Comments:
------------------------------------------------------------------------
[2013-08-30 07:49:15] r...@php.net

Found:
-zend_hash_update(props, "days", 5, &zv, sizeof(zval), NULL);
+zend_hash_update(props, "days", 5, &zv, sizeof(zv), NULL);

Will run some more tests and will commit the fix.

------------------------------------------------------------------------
[2013-08-30 06:01:41] r...@php.net

Reaffecting as Date/Time related as only this extension is affected.

------------------------------------------------------------------------
[2013-08-30 05:59:59] r...@php.net

Reproduced php5.5-201308300430 snapshot.

This issue make 62 failed tests, all in date extension.

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
date_isodate_set() tests [ext/date/tests/012.phpt]
date_date_set() tests [ext/date/tests/013.phpt]
timezone_offset_get() tests [ext/date/tests/014.phpt]
Test clone on DateTimeZone objects 
[ext/date/tests/DateTimeZone_clone_basic1.phpt]
Testing clone on objects whoose class derived from DateTimeZone class 
[ext/date/tests/DateTimeZone_clone_basic2.phpt]
Test clone of DateTimeZOne objects 
[ext/date/tests/DateTimeZone_clone_basic3.phpt]
Test new DateTimeZone() : basic functionality 
[ext/date/tests/DateTimeZone_construct_basic.phpt]
Test serialization of DateTimeZone objects 
[ext/date/tests/DateTimeZone_serialize_type_1.phpt]
Test serialization of DateTimeZone objects 
[ext/date/tests/DateTimeZone_serialize_type_2.phpt]
Test serialization of DateTimeZone objects 
[ext/date/tests/DateTimeZone_serialize_type_3.phpt]
Test clone of objects whoose class derived from DateTime class 
[ext/date/tests/DateTime_clone_basic2.phpt]
Test clone of DateTime objects [ext/date/tests/DateTime_clone_basic3.phpt]
Test new DateTime() : basic functionality 
[ext/date/tests/DateTime_construct_basic1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to 
first argument $time. [ext/date/tests/DateTime_construct_variation1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to 
second argument $timezone. [ext/date/tests/DateTime_construct_variation2.phpt]
Test DateTime::modify() function : usage variation - Passing unexpected values 
to first argument $modify. [ext/date/tests/DateTime_modify_variation1.phpt]
Test serialization of DateTime objects [ext/date/tests/DateTime_serialize.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values 
to first argument $year. [ext/date/tests/DateTime_setDate_variation1.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values 
to second argument $month. [ext/date/tests/DateTime_setDate_variation2.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values 
to third argument $day. [ext/date/tests/DateTime_setDate_variation3.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected 
values to first argument $year. 
[ext/date/tests/DateTime_setISODate_variation1.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected 
values to second argument $week. 
[ext/date/tests/DateTime_setISODate_variation2.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected 
values to third argument $day. 
[ext/date/tests/DateTime_setISODate_variation3.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values 
to first argument $hour. [ext/date/tests/DateTime_setTime_variation1.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values 
to second argument $minute. [ext/date/tests/DateTime_setTime_variation2.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values 
to third argument $second. [ext/date/tests/DateTime_setTime_variation3.phpt]
Bug #41523 (strtotime('0000-00-00 00:00:00') is parsed as 1999-11-30) (64 bit) 
[ext/date/tests/bug41523-64bit.phpt]
Bug #45682 (Unable to var_dump(DateInterval)) [ext/date/tests/bug45682.phpt]
Bug #46108 (DateTime - Memory leak when unserializing) 
[ext/date/tests/bug46108.phpt]
Bug #48097 (date_timezone_set function produces wrong datetime result) 
[ext/date/tests/bug48097.phpt]
Bug #48678 (DateInterval segfaults when unserialising) 
[ext/date/tests/bug48678.phpt]
Bug #49081 (DateTime::diff() mistake if start in January and interval > 28 
days) [ext/date/tests/bug49081.phpt]
Bug #49778 (DateInterval::format("%a") is always zero when an interval is 
created from an ISO string) [ext/date/tests/bug49778.phpt]
Bug #51866 (Lenient parsing with parseFromFormat) [ext/date/tests/bug51866.phpt]
Bug #52113 (Seg fault while creating (by unserialization) DatePeriod) 
[ext/date/tests/bug52113.phpt]
Bug #52738 (Can't use new properties in class extended from DateInterval) 
[ext/date/tests/bug52738.phpt]
Bug #52808 (Segfault when specifying interval as two dates) 
[ext/date/tests/bug52808.phpt]
Bug #53437 (Crash when using unserialized DatePeriod instance), variation 1 
[ext/date/tests/bug53437.phpt]
Bug #53437 DateInterval basic serialization [ext/date/tests/bug53437_var2.phpt]
Bug #53437 (Check that var_dump out is the same using the whole object or it's 
single properties), variation 4 [ext/date/tests/bug53437_var4.phpt]
Bug #53437 DateInterval unserialize bad data, 64 bit 
[ext/date/tests/bug53437_var5.phpt]
Bug #54316 (DateTime::createFromFormat does not handle trailing '|' correctly) 
[ext/date/tests/bug54316.phpt]
Bug #54340 (DateTime::add() method bug) [ext/date/tests/bug54340.phpt]
Bug #60236 (TLA timezone dates are not converted properly from timestamp) 
[ext/date/tests/bug60236.phpt]
Bug #60774 (DateInterval::format("%a") is always zero when an interval is 
created using the createFromDateString method) [ext/date/tests/bug60774.phpt]
Test for + character in date format [ext/date/tests/date-lenient-create.phpt]
Test date_create() function : basic functionality 
[ext/date/tests/date_create_basic.phpt]
Test date_create() function : usage variation - Passing unexpected values to 
first argument $time. [ext/date/tests/date_create_variation1.phpt]
Test date_create() function : usage variation - Passing unexpected values to 
second argument $timezone. [ext/date/tests/date_create_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to 
second argument $year. [ext/date/tests/date_date_set_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to 
third argument $month. [ext/date/tests/date_date_set_variation3.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to 
forth argument $day. [ext/date/tests/date_date_set_variation4.phpt]
Test for date_diff with timezone abbreviations. [ext/date/tests/date_diff1.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values 
to second argument $year. [ext/date/tests/date_isodate_set_variation2.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values 
to third argument $week. [ext/date/tests/date_isodate_set_variation3.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values 
to forth argument $day. [ext/date/tests/date_isodate_set_variation4.phpt]
Test date_modify() function : usage variation - Passing unexpected values to 
second argument $format. [ext/date/tests/date_modify_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to 
second argument $hour. [ext/date/tests/date_time_set_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to 
third argument $minute. [ext/date/tests/date_time_set_variation3.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to 
forth argument $sec. [ext/date/tests/date_time_set_variation4.phpt]
date_create_from_format() and date_parse_from_format(). 
[ext/date/tests/test-parse-from-format.phpt]
Test timezone_open() function : basic functionality 
[ext/date/tests/timezone_open_basic1.phpt]
=====================================================================

------------------------------------------------------------------------
[2013-08-27 04:34:55] dhiru dot kholia at gmail dot com

Description:
------------
Summary : stack-buffer-overflow exists in DateTimeZone stuff which was caught 
by AddressSanitizer.

I am using Fedora 19's GCC which supports AddressSanitizer.

1. Download and extract php-5.5.3.tar.xz

2. Configure build flags,

   export CFLAGS="-fsanitize=address -O2 -ggdb"

   export LDFLAGS="-fsanitize=address"

3. Build PHP as usual using "make".

4. Running ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php crashes 
with,

    *** Testing clone on DateTime objects ***
    =================================================================
    ==4551== ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fff0209a9d7 ...
    READ of size 1 at 0x7fff0209a9d7 thread T0
        #0 0xba7a1d in _zend_hash_add_or_update 
/scratch/php-5.5.3/Zend/zend_hash.c:261
        #1 0x43bcb8 in date_object_get_properties_timezone 
/scratch/php-5.5.3/ext/date/php_date.c:2308
        #2 0x9d8594 in php_var_dump /scratch/php-5.5.3/ext/standard/var.c:129 
(discriminator 1)
        #3 0x9d8f1b in zif_var_dump /scratch/php-5.5.3/ext/standard/var.c:183 
(discriminator 2)
        #4 0xdf048c in zend_do_fcall_common_helper_SPEC 
/scratch/php-5.5.3/Zend/zend_vm_execute.h:543
        #5 0xc01a9f in execute_ex /scratch/php-5.5.3/Zend/zend_vm_execute.h:356
        #6 0xb8394e in zend_execute_scripts /scratch/php-5.5.3/Zend/zend.c:1316
        #7 0xa5b2d4 in php_execute_script /scratch/php-5.5.3/main/main.c:2484
        #8 0xdf4ff1 in do_cli /scratch/php-5.5.3/sapi/cli/php_cli.c:994
        #9 0x434deb in main /scratch/php-5.5.3/sapi/cli/php_cli.c:1378
        #10 0x386b021b74 in ?? ??:0
        #11 0x435388 in _start ??:?



Test script:
---------------
$ ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php 



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65564&edit=1

Bug #65564 [Asn->Csd]: stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

Reply via email to