From: cyberleo at cyberleo dot net Operating system: FreeBSD 4.10-REL PHP version: 5CVS-2006-02-01 (snap) PHP Bug Type: Streams related Bug description: Weak type checking on stream_select() allows stack corruption (php5)
Description: ------------ This bug is similar to http://bugs.php.net/36242 however, the symptoms are different. Weak type checking on stream_select() allows stack corruption. Passing a value that is not an integer to stream_select()'s fourth parameter, tv_sec, appears to overwrite stack data. This results in strange, but consistent, modification of parameters passed to later functions. The corruption does not appear to be cumulative. This can occur if a script uses math functions to compute a delay that evaluates to a float, and typecasting is not done, or if someone uses a string representation of an integer instead (e.g. "86400" instead of 86400) Build options: --disable-cgi Run from build directory: sapi/cli/php No php.ini Reproduce code: --------------- $fp = fopen("/dev/zero","r"); // Random stream while(TRUE){ echo "Start of loop here.\n"; $reads = Array($fp); $delay = 3.7; // <- Anything but an integer. $null = NULL; printf("Waiting for data or %d seconds...\n",$delay); $result = stream_select($reads, $null, $null, $delay); if($result){ foreach($reads as $stream){ $data = fread($stream, 1); printf("Read %d byte(s).\n", strlen($data)); } } } Expected result: ---------------- An endless loop reading single ASCII 0 bytes from /dev/zero until interrupted. ---- Start of loop here. Waiting for data or 3 seconds... Read 1 byte(s). Start of loop here. Waiting for data or 3 seconds... Read 1 byte(s). ...etc... ---- Actual result: -------------- Endless loop of reading 17 bytes. (My test run) ---- Start of loop here. Waiting for data or 3 seconds... Read 17 byte(s). Start of loop here. Waiting for data or 3 seconds... Read 17 byte(s). ---- -- Edit bug report at http://bugs.php.net/?id=36243&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=36243&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=36243&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=36243&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=36243&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=36243&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=36243&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=36243&r=needscript Try newer version: http://bugs.php.net/fix.php?id=36243&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=36243&r=support Expected behavior: http://bugs.php.net/fix.php?id=36243&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=36243&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=36243&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=36243&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36243&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=36243&r=dst IIS Stability: http://bugs.php.net/fix.php?id=36243&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=36243&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=36243&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=36243&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=36243&r=mysqlcfg
