[PHP-BUG] Bug #65564 [NEW]: stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer

[dhiru dot kholia at gmail dot com]

From:             dhiru dot kholia at gmail dot com
Operating system: Fedora 19
PHP version:      5.5.3
Package:          Reproducible crash
Bug Type:         Bug
Bug description:stack-buffer-overflow in DateTimeZone stuff caught by 
AddressSanitizer

Description:
------------
Summary : stack-buffer-overflow exists in DateTimeZone stuff which was
caught by AddressSanitizer.

I am using Fedora 19's GCC which supports AddressSanitizer.

1. Download and extract php-5.5.3.tar.xz

2. Configure build flags,

   export CFLAGS="-fsanitize=address -O2 -ggdb"

   export LDFLAGS="-fsanitize=address"

3. Build PHP as usual using "make".

4. Running ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php
crashes with,

    *** Testing clone on DateTime objects ***
    =================================================================
    ==4551== ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff0209a9d7 ...
    READ of size 1 at 0x7fff0209a9d7 thread T0
        #0 0xba7a1d in _zend_hash_add_or_update
/scratch/php-5.5.3/Zend/zend_hash.c:261
        #1 0x43bcb8 in date_object_get_properties_timezone
/scratch/php-5.5.3/ext/date/php_date.c:2308
        #2 0x9d8594 in php_var_dump
/scratch/php-5.5.3/ext/standard/var.c:129 (discriminator 1)
        #3 0x9d8f1b in zif_var_dump
/scratch/php-5.5.3/ext/standard/var.c:183 (discriminator 2)
        #4 0xdf048c in zend_do_fcall_common_helper_SPEC
/scratch/php-5.5.3/Zend/zend_vm_execute.h:543
        #5 0xc01a9f in execute_ex
/scratch/php-5.5.3/Zend/zend_vm_execute.h:356
        #6 0xb8394e in zend_execute_scripts
/scratch/php-5.5.3/Zend/zend.c:1316
        #7 0xa5b2d4 in php_execute_script
/scratch/php-5.5.3/main/main.c:2484
        #8 0xdf4ff1 in do_cli /scratch/php-5.5.3/sapi/cli/php_cli.c:994
        #9 0x434deb in main /scratch/php-5.5.3/sapi/cli/php_cli.c:1378
        #10 0x386b021b74 in ?? ??:0
        #11 0x435388 in _start ??:?



Test script:
---------------
$ ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php 


-- 
Edit bug report at https://bugs.php.net/bug.php?id=65564&edit=1
-- 
Try a snapshot (PHP 5.4):   
https://bugs.php.net/fix.php?id=65564&r=trysnapshot54
Try a snapshot (PHP 5.3):   
https://bugs.php.net/fix.php?id=65564&r=trysnapshot53
Try a snapshot (trunk):     
https://bugs.php.net/fix.php?id=65564&r=trysnapshottrunk
Fixed in SVN:               https://bugs.php.net/fix.php?id=65564&r=fixed
Fixed in release:           https://bugs.php.net/fix.php?id=65564&r=alreadyfixed
Need backtrace:             https://bugs.php.net/fix.php?id=65564&r=needtrace
Need Reproduce Script:      https://bugs.php.net/fix.php?id=65564&r=needscript
Try newer version:          https://bugs.php.net/fix.php?id=65564&r=oldversion
Not developer issue:        https://bugs.php.net/fix.php?id=65564&r=support
Expected behavior:          https://bugs.php.net/fix.php?id=65564&r=notwrong
Not enough info:            
https://bugs.php.net/fix.php?id=65564&r=notenoughinfo
Submitted twice:            
https://bugs.php.net/fix.php?id=65564&r=submittedtwice
register_globals:           https://bugs.php.net/fix.php?id=65564&r=globals
PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65564&r=php4
Daylight Savings:           https://bugs.php.net/fix.php?id=65564&r=dst
IIS Stability:              https://bugs.php.net/fix.php?id=65564&r=isapi
Install GNU Sed:            https://bugs.php.net/fix.php?id=65564&r=gnused
Floating point limitations: https://bugs.php.net/fix.php?id=65564&r=float
No Zend Extensions:         https://bugs.php.net/fix.php?id=65564&r=nozend
MySQL Configuration Error:  https://bugs.php.net/fix.php?id=65564&r=mysqlcfg