Sec Bug->Bug #54401 [Asn]: DatePeriod crashes when constructor is not called

Sat, 14 Jul 2012 09:46:57 -0700 

Edit report at https://bugs.php.net/bug.php?id=54401&edit=1

 ID:                 54401
 Updated by:         fel...@php.net
 Reported by:        fel...@php.net
 Summary:            DatePeriod crashes when constructor is not called
 Status:             Assigned
-Type:               Security
+Type:               Bug
 Package:            Reproducible crash
 PHP Version:        Irrelevant
 Assigned To:        derick
 Block user comment: N
 Private report:     N



Previous Comments:
------------------------------------------------------------------------
[2012-07-08 08:47:22] reeze dot xia at gmail dot com

This bug look the same as https://bugs.php.net/bug.php?id=62500. 
It initialize private data in constructor, when extend the class without
calling it's construtor may cause segfault. The DateInterval add a checking
before performance any operation, if it's not initialized an warning will be 
raised.

This may be fixed this way too.

------------------------------------------------------------------------
[2011-03-27 15:32:08] fel...@php.net

Description:
------------
DatePeriod relies on constructor being called before trying to iterate over its 
data.

Test script:
---------------
<?php

class foo extends DatePeriod {
        public function __construct() { }
}

foreach (new foo as $y);

Expected result:
----------------
No crash

Actual result:
--------------
Crash

#0  memcpy () at ../sysdeps/i386/i686/memcpy.S:75
#1  0xbffff2c8 in ?? ()
#2  0x0806ec1f in date_period_it_rewind (iter=0x8b1e584, tsrm_ls=0x89022a0) at 
/home/felipe/dev/php5/ext/date/php_date.c:1902
#3  0x0855330a in ZEND_FE_RESET_SPEC_VAR_HANDLER (execute_data=0x8ade614, 
tsrm_ls=0x89022a0)
    at /home/felipe/dev/php5/Zend/zend_vm_execute.h:8816
#4  0x08531442 in execute (op_array=0x8ab2ba0, tsrm_ls=0x89022a0) at 
/home/felipe/dev/php5/Zend/zend_vm_execute.h:107
#5  0x084fef3d in zend_execute_scripts (type=8, tsrm_ls=0x89022a0, retval=0x0, 
file_count=3) at /home/felipe/dev/php5/Zend/zend.c:1194
#6  0x0847ad48 in php_execute_script (primary_file=0xbffff488, 
tsrm_ls=0x89022a0) at /home/felipe/dev/php5/main/main.c:2270
#7  0x085dada7 in main (argc=2, argv=0xbffff604) at 
/home/felipe/dev/php5/sapi/cli/php_cli.c:1193



------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=54401&edit=1

Reply via email to