|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-03-28 08:22 UTC] stas@php.net
-PHP Version: 5.6.19
+PHP Version: 5.5.33
[2016-03-28 08:22 UTC] stas@php.net
[2016-03-28 08:27 UTC] stas@php.net
[2016-03-29 00:29 UTC] fernando at null-life dot com
[2016-03-29 06:47 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-03-29 06:55 UTC] stas@php.net
[2016-03-29 06:55 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-03-29 06:55 UTC] stas@php.net
[2016-03-29 09:30 UTC] ab@php.net
[2016-03-29 09:30 UTC] ab@php.net
[2016-04-25 17:06 UTC] remi@php.net
-CVE-ID:
+CVE-ID: 2016-4073
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 09:01:32 2024 UTC |
Description: ------------ 1. Compile PHP with ASAN enabled. 2. Run attached test case on 32 bits. php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2858 2858 if (len < 0) { (gdb) print len $64 = 2147483647 This value will later set the sz value to -1, and that value is used inside memcpy. php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1542 1560 sz = end - start; ... 1568 memcpy(w, start, sz); Test script: --------------- <?php $var1="AAAA"; $var2=1; $var3=2147483647; //max int mb_strcut($var1, $var2, $var3); Expected result: ---------------- Not crash Actual result: -------------- ================================================================= ==415==ERROR: AddressSanitizer: negative-size-param: (size=-1) #0 0xb7ae5b04 in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ab04) #1 0xb7ae5c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f) #2 0x87cb167 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:53 #3 0x87cb167 in mbfl_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1568 #4 0x87fcb5e in zif_mb_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2869 #5 0x9a3a625 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558 #6 0x9626675 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363 #7 0x97d2a43 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388 #8 0x94291fb in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341 #9 0x912def5 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597 #10 0x9a47448 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994 #11 0x8087418 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378 #12 0xb7640645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #13 0x80879eb (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x80879eb) 0xb3017411 is located 97297 bytes inside of 1048576-byte region [0xb2fff800,0xb30ff800) allocated by thread T0 here: #0 0xb7af1d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06) #1 0x954157e in zend_interned_strings_init /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_string.c:48 SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy