Skip to content

Fix out-of bounds access #2382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix out-of bounds access #2382

wants to merge 1 commit into from

Conversation

Zenju
Copy link
Contributor

@Zenju Zenju commented Feb 12, 2017

Test case: strnatcmp_ex(L"333", 3, L"333 ", 4, true)
The reason this bug didn't come up earlier is probably because most input strings are null-terminated.

@Zenju
Fix out-of bounds access
e543e02 
Test case: strnatcmp_ex(L"333", 3, L"333 ", 4, true)
The reason this bug didn't come up earlier is probably because most input strings are null-terminated.
@staabm
Copy link
Contributor

staabm commented Feb 12, 2017

Should be covered by a test

@Zenju
Copy link
Contributor Author

Zenju commented Feb 12, 2017
edited
Loading

The "isspace" calls also miss bounds-checks, except for input that is null-terminated.

while (isspace((int)(unsigned char)ca)) { ca = *++ap; }

also the following "isdigit" should check for bounds.

@Zenju
Copy link
Contributor Author

Zenju commented Feb 12, 2017

Also the behavior of "compare_left" is strange. The result is unlike what other "natural" string comparison functions would do,e .g.. CompareString + SORT_DIGITSASNUMBERS on Windows, or CFStringCompare + kCFCompareNumerically on macOS. Maybe the whole function should be rewritten?

@laruence
Copy link
Member

could you please add a test to trigger this bug? (as long as the problem could be seen via valgrind)

@nikic
Copy link
Member

nikic commented Mar 2, 2017

It's probably not possible to test this from PHP, as this assumes non-terminated strings.

I've ran into this issue recently when fixing issues with parse_url on non-terminated strings. Maybe we can introduce something like ext/test where we can include tests like this?

@krakjoe
Copy link
Member

krakjoe commented Mar 2, 2017

@nikic that sounds reasonable to me, may be useful for many other things also ...

@nikic
Copy link
Member

nikic commented Mar 16, 2017

Test extension has been added in #2414, it is now possible to write a test for this. Example of how an unterminated string test looks like: https://github.com/nikic/php-src/blob/e81452b5c39a950272d3606a07c3591f70414960/ext/standard/tests/url/parse_url_unterminated.phpt

@krakjoe
Copy link
Member

krakjoe commented Apr 3, 2017

@Zenju please update this PR with a test ...

@cmb69
Copy link
Member

cmb69 commented Feb 24, 2018

Regression test:

--TEST--
strnat(case)cmp(): potential OOB access for unterminated strings
--SKIPIF--
<?php
if (!function_exists('zend_create_unterminated_string')) die('skip zend_test extension not available');
?>
--FILE--
<?php
$a = zend_create_unterminated_string('333');
$b = zend_create_unterminated_string('333 ');
var_dump(
    strnatcmp($a, $b),
    strnatcasecmp($b, $a)
);
zend_terminate_string($a);
zend_terminate_string($b);
?>
===DONE===
--EXPECT--
int(-1)
int(1)
===DONE===

php-pulls pushed a commit that referenced this pull request Jul 6, 2018
@cmb69 @weltling
Add test for PR #2382
b37dafc
@weltling
Copy link
Contributor

weltling commented Jul 6, 2018

Pushed both the @Zenju's patch and the Christoph's test. Valgrind is happy.

@Zenju if you'd like to contribute more, please pay attention to the testability. Bare patches suffice in some cases, but usually a test is required.

Thanks.

@weltling weltling closed this Jul 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Quickfix Waiting on Author
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Zenju @staabm @laruence @nikic @krakjoe @cmb69 @weltling