: Bug #70748 :: Segfault in ini_lex () at Zend/zend_ini

: Bug #70748 :: Segfault in ini_lex () at Zend/zend_ini_scanner.l:459

Bug #70748	Segfault in ini_lex () at Zend/zend_ini_scanner.l:459
Submitted:	2015-10-20 00:28 UTC	Modified:	-
From:	brian dot carpenter at gmail dot com	Assigned:
Status:	Closed	Package:	Reproducible crash
PHP Version:	5.4.45	OS:	Debian 7 x64
Private report:	No	CVE-ID:	None

[2015-10-20 00:28 UTC] brian dot carpenter at gmail dot com

Description:
------------
This crash was found with American Fuzzy Lop and affects the following versions of PHP:

PHP 5.4.45-0+deb7u1 (cli) (built: Sep 10 2015 08:34:47)
PHP 7.1.0-dev (cli) (built: Oct 17 2015 14:52:25) ( NTS )

A malformed ini file triggers a segfault in ini_lex () at Zend/zend_ini_scanner.l:459.


Test script:
---------------
<?php
define ('BIRD','Dodo bird');
$ini_array = parse_ini_file("test.ini");
print_r($ini_array);
?>

https://dl.dropboxusercontent.com/u/6088006/test.ini

Expected result:
----------------
No crash.

Actual result:
--------------
==51924== Invalid read of size 1
==51924==    at 0x131CFB4: ini_lex (zend_ini_scanner.l:459)
==51924==    by 0x130C155: ini_parse (zend_ini_parser.c:1637)
==51924==    by 0x130DCAF: zend_parse_ini_file (zend_ini_parser.y:217)
==51924==    by 0xFB5685: zif_parse_ini_file (basic_functions.c:5926)
==51924==    by 0x163D4D4: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==51924==    by 0x15F7B32: execute_ex (zend_vm_execute.h:414)
==51924==    by 0x18154C4: zend_execute (zend_vm_execute.h:458)
==51924==    by 0x143B857: zend_execute_scripts (zend.c:1428)
==51924==    by 0x11F3B2F: php_execute_script (main.c:2471)
==51924==    by 0x181E478: do_cli (php_cli.c:974)
==51924==    by 0x4526D0: main (php_cli.c:1345)
==51924==  Address 0x104022018 is not stack'd, malloc'd or (recently) free'd
==51924== 
==51924== 
==51924== Process terminating with default action of signal 11 (SIGSEGV)
==51924==  Access not within mapped region at address 0x104022018
==51924==    at 0x131CFB4: ini_lex (zend_ini_scanner.l:459)
==51924==    by 0x130C155: ini_parse (zend_ini_parser.c:1637)
==51924==    by 0x130DCAF: zend_parse_ini_file (zend_ini_parser.y:217)
==51924==    by 0xFB5685: zif_parse_ini_file (basic_functions.c:5926)
==51924==    by 0x163D4D4: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:586)
==51924==    by 0x15F7B32: execute_ex (zend_vm_execute.h:414)
==51924==    by 0x18154C4: zend_execute (zend_vm_execute.h:458)
==51924==    by 0x143B857: zend_execute_scripts (zend.c:1428)
==51924==    by 0x11F3B2F: php_execute_script (main.c:2471)
==51924==    by 0x181E478: do_cli (php_cli.c:974)
==51924==    by 0x4526D0: main (php_cli.c:1345)
==51924==  If you believe this happened as a result of a stack
==51924==  overflow in your program's main thread (unlikely but
==51924==  possible), you can try to increase the size of the
==51924==  main thread stack using the --main-stacksize= flag.
==51924==  The main thread stack size used in this run was 8388608.
Segmentation fault

%%%

Program received signal SIGSEGV, Segmentation fault.
0x000000000131cfb4 in ini_lex () at Zend/zend_ini_scanner.l:459
459		EAT_TRAILING_WHITESPACE();
(gdb) bt
#0  0x000000000131cfb4 in ini_lex () at Zend/zend_ini_scanner.l:459
#1  0x000000000130c156 in ini_parse ()
    at /home/geeknik/php-src/Zend/zend_ini_parser.c:1637
#2  0x000000000130dcb0 in zend_parse_ini_file ()
    at /home/geeknik/php-src/Zend/zend_ini_parser.y:217
#3  0x0000000000fb5686 in zif_parse_ini_file ()
#4  0x000000000163d4d5 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:586
#5  0x00000000015f7b33 in execute_ex ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:414
#6  0x00000000018154c5 in zend_execute ()
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:458
#7  0x000000000143b858 in zend_execute_scripts ()
    at /home/geeknik/php-src/Zend/zend.c:1428
#8  0x00000000011f3b30 in php_execute_script ()
    at /home/geeknik/php-src/main/main.c:2471
#9  0x000000000181e479 in do_cli ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:974
#10 0x00000000004526d1 in main ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1345
(gdb) i r
rax            0x7ffff7ff801b	140737354104859
rbx            0x1fee700	33482496
rcx            0xffffffff	4294967295
rdx            0x9	9
rsi            0x1c5ec40	29748288
rdi            0x20	32
rbp            0x7ffff7ff8018	0x7ffff7ff8018
rsp            0x7fffffff9820	0x7fffffff9820
r8             0x7fffffff9910	140737488328976
r9             0x7ffff7ff8003	140737354104835
r10            0xfffffffe	4294967294
r11            0xff	255
r12            0x1	1
r13            0x7ffff7ff801a	140737354104858
r14            0x7ffff7ff8000	140737354104832
r15            0x7ffff7ff802f	140737354104879
rip            0x131cfb4	0x131cfb4 <ini_lex+58820>
eflags         0x10286	[ PF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports