Skip to content

Fix GH-13309: array hashes comparison, wrong buffer len calculation. #13315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix GH-13309: array hashes comparison, wrong buffer len calculation. #13315

wants to merge 1 commit into from

Conversation

devnexen
Copy link
Member

@devnexen devnexen commented Feb 3, 2024

php_array_key_compare_string_case_unstable_i has a typo for the second operand resulting in a wrong buffer size calculation.

Issue reported by @AlexRudyuk

@devnexen
Fix phpGH-13309: array hashes comparison, wrong buffer len calculation.
016e4f1 
php_array_key_compare_string_case_unstable_i has a typo for the second
operand resulting in a wrong buffer size calculation.

Issue reported by @AlexRudyuk
@devnexen devnexen requested a review from nielsdos February 3, 2024 11:58
nielsdos
nielsdos approved these changes Feb 3, 2024
View reviewed changes
Copy link
Member

@nielsdos nielsdos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
This is essentially the same bug as #13310, so might as well fix that too here?

@devnexen devnexen closed this in d91224c Feb 3, 2024
@nielsdos
Copy link
Member

nielsdos commented Feb 3, 2024

@devnexen forgot to update this? https://github.com/php/php-src/blob/master/ext/standard/array.c#L241

@devnexen
Copy link
Member Author

devnexen commented Feb 3, 2024

ah true sorry..

bukka
bukka reviewed Feb 4, 2024
View reviewed changes
NEWS
@@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.2.17

- Core:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be Standard.

@bukka
Copy link
Member

bukka commented Feb 4, 2024

@devnexen Have you tried to analyse the issue and see if we can produce some test for this and what the impact is? It might point to some missing coverage if this has not be found for so long...

@bukka
Copy link
Member

bukka commented Feb 4, 2024

Ok I just had a quick look and it seems to me that this is not even used: php_array_key_compare_string_case_unstable_i so it's not really a bug...

@bukka
Copy link
Member

bukka commented Feb 4, 2024
edited
Loading

So there are follow ups and the part that matter and needs some further analysis is merged in b06d6db . There is actually one more behind as well for master which is the same so it took me a little while to get my head around all those commits. I would recommend to wait with merging a little bit next time to make sure everything is done in a single commit.

@bukka
Copy link
Member

bukka commented Feb 4, 2024

Also please create a PR for those sort of changes even if it's a follow up so we can be sure that it runs fine all the tests - this PR is actually pointless because it is for unused code but for all used code there should be always a PR.

@devnexen
Copy link
Member Author

devnexen commented Feb 4, 2024

Also please create a PR for those sort of changes even if it's a follow up so we can be sure that it runs fine all the tests - this PR is actually pointless because it is for unused code but for all used code there should be always a PR.

In fact it should have belonged in the same PR, I forgot to add this change. But agreed for the rest.

devnexen added a commit to devnexen/php-src that referenced this pull request Feb 4, 2024
@devnexen
[ci skip] Fix NEWS entry for phpGH-13315.
59d555c
@bukka
Copy link
Member

bukka commented Feb 4, 2024

I have just done some analysis and don't think this is actually a big problem (except the int overflow). The code that triggers that place is following:

<?php

$a = [
    '11111111111111111111111111111111111111111' => 1,
    12 => 2
];

var_dump(ksort($a, SORT_NATURAL));

The first element does not really matter - I just tried larger string to be sure that the comparison does not continue. The thing is that number gets written to the buffer that is null terminated so the l2 length (which is effectively the int overflow). But due to the fact that l1 is correct and the string is null terminated, it is not going to overflow the buffer. At least that how it looked to me from debugging.

devnexen added a commit that referenced this pull request Feb 4, 2024
@devnexen
Fix NEWS entry for GH-13315.
7096eff 
Close GH-13325
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bukka bukka bukka left review comments

@nielsdos nielsdos nielsdos approved these changes

Assignees
No one assigned
Labels
Category: Arrays Extension: standard
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@devnexen @nielsdos @bukka