Edit report at https://bugs.php.net/bug.php?id=65564&edit=1
ID: 65564
Comment by: r...@php.net
Reported by: dhiru dot kholia at gmail dot com
Summary: stack-buffer-overflow in DateTimeZone stuff caught
by AddressSanitizer
Status: Open
Type: Bug
Package: Reproducible crash
Operating System: Fedora 19
PHP Version: 5.5.3
Block user comment: N
Private report: N
New Comment:
Reproduced php5.5-201308300430 snapshot.
This issue make 62 failed tests, all in date extension.
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
date_isodate_set() tests [ext/date/tests/012.phpt]
date_date_set() tests [ext/date/tests/013.phpt]
timezone_offset_get() tests [ext/date/tests/014.phpt]
Test clone on DateTimeZone objects
[ext/date/tests/DateTimeZone_clone_basic1.phpt]
Testing clone on objects whoose class derived from DateTimeZone class
[ext/date/tests/DateTimeZone_clone_basic2.phpt]
Test clone of DateTimeZOne objects
[ext/date/tests/DateTimeZone_clone_basic3.phpt]
Test new DateTimeZone() : basic functionality
[ext/date/tests/DateTimeZone_construct_basic.phpt]
Test serialization of DateTimeZone objects
[ext/date/tests/DateTimeZone_serialize_type_1.phpt]
Test serialization of DateTimeZone objects
[ext/date/tests/DateTimeZone_serialize_type_2.phpt]
Test serialization of DateTimeZone objects
[ext/date/tests/DateTimeZone_serialize_type_3.phpt]
Test clone of objects whoose class derived from DateTime class
[ext/date/tests/DateTime_clone_basic2.phpt]
Test clone of DateTime objects [ext/date/tests/DateTime_clone_basic3.phpt]
Test new DateTime() : basic functionality
[ext/date/tests/DateTime_construct_basic1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to
first argument $time. [ext/date/tests/DateTime_construct_variation1.phpt]
Test new DateTime() function : usage variation - Passing unexpected values to
second argument $timezone. [ext/date/tests/DateTime_construct_variation2.phpt]
Test DateTime::modify() function : usage variation - Passing unexpected values
to first argument $modify. [ext/date/tests/DateTime_modify_variation1.phpt]
Test serialization of DateTime objects [ext/date/tests/DateTime_serialize.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values
to first argument $year. [ext/date/tests/DateTime_setDate_variation1.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values
to second argument $month. [ext/date/tests/DateTime_setDate_variation2.phpt]
Test DateTime::setDate() function : usage variation - Passing unexpected values
to third argument $day. [ext/date/tests/DateTime_setDate_variation3.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected
values to first argument $year.
[ext/date/tests/DateTime_setISODate_variation1.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected
values to second argument $week.
[ext/date/tests/DateTime_setISODate_variation2.phpt]
Test DateTime::setISODate() function : usage variation - Passing unexpected
values to third argument $day.
[ext/date/tests/DateTime_setISODate_variation3.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values
to first argument $hour. [ext/date/tests/DateTime_setTime_variation1.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values
to second argument $minute. [ext/date/tests/DateTime_setTime_variation2.phpt]
Test DateTime::setTime() function : usage variation - Passing unexpected values
to third argument $second. [ext/date/tests/DateTime_setTime_variation3.phpt]
Bug #41523 (strtotime('0000-00-00 00:00:00') is parsed as 1999-11-30) (64 bit)
[ext/date/tests/bug41523-64bit.phpt]
Bug #45682 (Unable to var_dump(DateInterval)) [ext/date/tests/bug45682.phpt]
Bug #46108 (DateTime - Memory leak when unserializing)
[ext/date/tests/bug46108.phpt]
Bug #48097 (date_timezone_set function produces wrong datetime result)
[ext/date/tests/bug48097.phpt]
Bug #48678 (DateInterval segfaults when unserialising)
[ext/date/tests/bug48678.phpt]
Bug #49081 (DateTime::diff() mistake if start in January and interval > 28
days) [ext/date/tests/bug49081.phpt]
Bug #49778 (DateInterval::format("%a") is always zero when an interval is
created from an ISO string) [ext/date/tests/bug49778.phpt]
Bug #51866 (Lenient parsing with parseFromFormat) [ext/date/tests/bug51866.phpt]
Bug #52113 (Seg fault while creating (by unserialization) DatePeriod)
[ext/date/tests/bug52113.phpt]
Bug #52738 (Can't use new properties in class extended from DateInterval)
[ext/date/tests/bug52738.phpt]
Bug #52808 (Segfault when specifying interval as two dates)
[ext/date/tests/bug52808.phpt]
Bug #53437 (Crash when using unserialized DatePeriod instance), variation 1
[ext/date/tests/bug53437.phpt]
Bug #53437 DateInterval basic serialization [ext/date/tests/bug53437_var2.phpt]
Bug #53437 (Check that var_dump out is the same using the whole object or it's
single properties), variation 4 [ext/date/tests/bug53437_var4.phpt]
Bug #53437 DateInterval unserialize bad data, 64 bit
[ext/date/tests/bug53437_var5.phpt]
Bug #54316 (DateTime::createFromFormat does not handle trailing '|' correctly)
[ext/date/tests/bug54316.phpt]
Bug #54340 (DateTime::add() method bug) [ext/date/tests/bug54340.phpt]
Bug #60236 (TLA timezone dates are not converted properly from timestamp)
[ext/date/tests/bug60236.phpt]
Bug #60774 (DateInterval::format("%a") is always zero when an interval is
created using the createFromDateString method) [ext/date/tests/bug60774.phpt]
Test for + character in date format [ext/date/tests/date-lenient-create.phpt]
Test date_create() function : basic functionality
[ext/date/tests/date_create_basic.phpt]
Test date_create() function : usage variation - Passing unexpected values to
first argument $time. [ext/date/tests/date_create_variation1.phpt]
Test date_create() function : usage variation - Passing unexpected values to
second argument $timezone. [ext/date/tests/date_create_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to
second argument $year. [ext/date/tests/date_date_set_variation2.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to
third argument $month. [ext/date/tests/date_date_set_variation3.phpt]
Test date_date_set() function : usage variation - Passing unexpected values to
forth argument $day. [ext/date/tests/date_date_set_variation4.phpt]
Test for date_diff with timezone abbreviations. [ext/date/tests/date_diff1.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values
to second argument $year. [ext/date/tests/date_isodate_set_variation2.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values
to third argument $week. [ext/date/tests/date_isodate_set_variation3.phpt]
Test date_isodate_set() function : usage variation - Passing unexpected values
to forth argument $day. [ext/date/tests/date_isodate_set_variation4.phpt]
Test date_modify() function : usage variation - Passing unexpected values to
second argument $format. [ext/date/tests/date_modify_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to
second argument $hour. [ext/date/tests/date_time_set_variation2.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to
third argument $minute. [ext/date/tests/date_time_set_variation3.phpt]
Test date_time_set() function : usage variation - Passing unexpected values to
forth argument $sec. [ext/date/tests/date_time_set_variation4.phpt]
date_create_from_format() and date_parse_from_format().
[ext/date/tests/test-parse-from-format.phpt]
Test timezone_open() function : basic functionality
[ext/date/tests/timezone_open_basic1.phpt]
=====================================================================
Previous Comments:
------------------------------------------------------------------------
[2013-08-27 04:34:55] dhiru dot kholia at gmail dot com
Description:
------------
Summary : stack-buffer-overflow exists in DateTimeZone stuff which was caught
by AddressSanitizer.
I am using Fedora 19's GCC which supports AddressSanitizer.
1. Download and extract php-5.5.3.tar.xz
2. Configure build flags,
export CFLAGS="-fsanitize=address -O2 -ggdb"
export LDFLAGS="-fsanitize=address"
3. Build PHP as usual using "make".
4. Running ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php crashes
with,
*** Testing clone on DateTime objects ***
=================================================================
==4551== ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff0209a9d7 ...
READ of size 1 at 0x7fff0209a9d7 thread T0
#0 0xba7a1d in _zend_hash_add_or_update
/scratch/php-5.5.3/Zend/zend_hash.c:261
#1 0x43bcb8 in date_object_get_properties_timezone
/scratch/php-5.5.3/ext/date/php_date.c:2308
#2 0x9d8594 in php_var_dump /scratch/php-5.5.3/ext/standard/var.c:129
(discriminator 1)
#3 0x9d8f1b in zif_var_dump /scratch/php-5.5.3/ext/standard/var.c:183
(discriminator 2)
#4 0xdf048c in zend_do_fcall_common_helper_SPEC
/scratch/php-5.5.3/Zend/zend_vm_execute.h:543
#5 0xc01a9f in execute_ex /scratch/php-5.5.3/Zend/zend_vm_execute.h:356
#6 0xb8394e in zend_execute_scripts /scratch/php-5.5.3/Zend/zend.c:1316
#7 0xa5b2d4 in php_execute_script /scratch/php-5.5.3/main/main.c:2484
#8 0xdf4ff1 in do_cli /scratch/php-5.5.3/sapi/cli/php_cli.c:994
#9 0x434deb in main /scratch/php-5.5.3/sapi/cli/php_cli.c:1378
#10 0x386b021b74 in ?? ??:0
#11 0x435388 in _start ??:?
Test script:
---------------
$ ./sapi/cli/php ext/date/tests/DateTimeZone_clone_basic1.php
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65564&edit=1
