From: cyberleo at cyberleo dot net
Operating system: FreeBSD 4.10-REL
PHP version: 4CVS-2006-02-01 (snap)
PHP Bug Type: Streams related
Bug description: Weak type checking on stream_select() allows stack corruption
Description:
------------
Weak type checking on stream_select() allows stack corruption.
Passing a value that is not an integer to stream_select()'s fourth
parameter, tv_sec, appears to overwrite stack data, eventually resulting
in a program crash, corruption of function parameters or corruption of
function frame and return pointer. This can occur if a script uses math
functions to compute a delay that evaluates to a float, and typecasting is
not done, or if someone uses a string representation of an integer instead
(e.g. "86400" instead of 86400)
This bug was originally found on PHP-4.3.10, verified on 4.4.2 and the
latest php4 snapshot. It took a while to track down what was causing the
weird crashes.
Build options: --disable-cgi
Run from build directory: sapi/cli/php
No php.ini
Reproduce code:
---------------
$fp = fopen("/dev/zero","r"); // Random stream
while(TRUE){
echo "Start of loop here.\n";
$reads = Array($fp);
$delay = 3.7; // <- Anything but an integer.
$null = NULL;
printf("Waiting for data or %d seconds...\n",$delay);
$result = stream_select($reads, $null, $null, $delay);
if($result){
foreach($reads as $stream){
$data = fread($stream, 1);
printf("Read %d byte(s).\n", strlen($data));
}
}
}
Expected result:
----------------
An endless loop reading single ASCII 0 bytes from /dev/zero until
interrupted.
----
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
...etc...
----
Actual result:
--------------
The code seems to run fine for a few iterations, but eventually starts
showing various errors or passing incorrect parameters to functions:
----
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Warning: fread(): supplied argument is not a valid stream resource in
/usr/home/cyberleo/logs/working/crashtest.php on line 12
Read 0 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Read 1 byte(s).
Start of loop here.
Waiting for data or 3 seconds...
Warning: fread(): supplied argument is not a valid stream resource in
/usr/home/cyberleo/logs/working/crashtest.php on line 12
Read 0 byte(s).
Start of loop here.
Warning: stream_select(): 4 is not a valid stream resource in
/usr/home/cyberleo/logs/working/crashtest.php on line 9
Warning: stream_select(): 4 is not a valid stream resource in
/usr/home/cyberleo/logs/working/crashtest.php on line 9
(Program hangs at this point, no looping)
----
--
Edit bug report at http://bugs.php.net/?id=36242&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=36242&r=trysnapshot44
Try a CVS snapshot (PHP 5.1):
http://bugs.php.net/fix.php?id=36242&r=trysnapshot51
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=36242&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=36242&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=36242&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=36242&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=36242&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=36242&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=36242&r=support
Expected behavior: http://bugs.php.net/fix.php?id=36242&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=36242&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=36242&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=36242&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36242&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=36242&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=36242&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=36242&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=36242&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=36242&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=36242&r=mysqlcfg
