unaligned memory access in phar.c

Bug #50987 unaligned memory access in phar.c
Submitted: 2010-02-10 07:27 UTC Modified: 2010-11-20 20:27 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: geissert at debian dot org Assigned: iliaa (profile)
Status: Closed Package: PHAR related
PHP Version: 5.3.1 OS: linux ia64
Private report: No CVE-ID: None

 [2010-02-10 07:27 UTC] geissert at debian dot org

Description:
------------
There's an unaligned memory access in ext/phar/phar.c's phar_set_32 function.

The following patch fixes it:

--- php.orig/ext/phar/phar.c
+++ php/ext/phar/phar.c
@@ -2491,7 +2491,7 @@ static inline void phar_set_32(char *buf
        *((buffer) + 1) = (unsigned char) (((var) >> 8) & 0xFF);
        *((buffer) + 0) = (unsigned char) ((var) & 0xFF);
 #else
-       *(php_uint32 *)(buffer) = (php_uint32)(var);
+       memcpy(buffer, &var, sizeof(var));
 #endif
 } /* }}} */



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2010-02-10 20:05 UTC] pajoye@php.net

hi,

Can you provide test cases for these crashes please? As well as your settings (CFLAGS&co) as I can't see crashes on IA64 here (or other 64bit platforms). Same applies for your other reports :)

Thanks for your feedback!

 [2010-02-10 20:32 UTC] geissert at debian dot org

The phar one was found while building the extension itself (the call to php in ext/phar/Makefile.frag to generate phar.php.)

There are probably more, but still have to process them. In the meanwhile, here's another (found while unpacking pear):

@@ -512,7 +512,7 @@ void phar_entry_remove(phar_entry_data *
        (buffer) += 2
 #else
 # define PHAR_GET_32(buffer, var) \
-       var = *(php_uint32*)(buffer); \
+       memcpy(&var, buffer, sizeof(var)); \
        buffer += 4
 # define PHAR_GET_16(buffer, var) \
        var = *(php_uint16*)(buffer); \

As for CFLAGS: -O2 -Wall -fsigned-char -fno-strict-aliasing -g -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security

Should be easy for you to find them by running the test suite under prctl --unaligned=signal (all the phar tests will fail.) That's how I found them all (I can provide the name of the tests that failed in a moment, I'm rebuilding with the patches I already provided.)

 [2010-03-06 02:20 UTC] geissert@php.net

Any reason for not applying the patch? cheers

 [2010-11-19 14:20 UTC] iliaa@php.net

-Assigned To: cellog +Assigned To: iliaa

 [2010-11-20 20:27 UTC] iliaa@php.net

-Status: Assigned +Status: Closed

 [2010-11-20 20:27 UTC] iliaa@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.