|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-04-19 06:31 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-04-19 06:31 UTC] stas@php.net
[2016-04-19 06:33 UTC] stas@php.net
[2016-04-19 06:33 UTC] stas@php.net
-Status: Open
+Status: Closed
[2016-04-19 06:34 UTC] stas@php.net
[2016-04-28 00:34 UTC] tyrael@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Jan 22 10:01:30 2025 UTC |
Description: ------------ When passing an element from an array to imageaffinematrixget's second parameter it will change some of it's content and corrupt the value of it, this could cause additional memory issues when the corrupt value is used in other functions. Test case 1 seems to be reading data from somewhere else. In the test case 2 and 3, it makes the interpreter believe that the string has a -1294975648 length. This was tested on a 32 bits system. Test script: --------------- Test case 1: <?php $vals=[str_repeat("A", "200" ), 0, 1, 2, 3,4,5,6,7,8,9]; imageaffinematrixget(4,$vals[0]); var_dump($vals[0]); Test case 2: <?php for($i=0;$i<3990;++$i){$arr[]=[];}; $vals=["AA",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],0,0,0,0,0,[],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],[],[],0,0,0,0,$arr,0,0,0,0,0,0,0,0,0,0,0]; imageaffinematrixget(4,$vals[0]); str_replace(0,$vals[83],0); var_dump($vals[0]); //defined($vals[0]); Test case 3: <?php for($i=0;$i<3990;++$i){$arr[]=[];}; $vals=["AA",0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],0,0,0,0,0,[],0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,[],[],[],0,0,0,0,$arr,0,0,0,0,0,0,0,0,0,0,0]; imageaffinematrixget(4,$vals[0]); str_replace(0,$vals[83],0); defined($vals[0]); Expected result: ---------------- Case 1: string(200) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" Case 2 and 3: At least not crash Actual result: -------------- Case 1: string(200) "l?m???m?1ent-type: text/html; charset=UTF-8A1??-4?m??m?p?m?-?m?" Case 2: string(-1294975648) "ASAN:SIGSEGV ================================================================= ==3788==ERROR: AddressSanitizer: SEGV on unknown address 0x00000028 (pc 0x09309ea4 bp 0xb422ac58 sp 0xbfffc160 T0) #0 0x9309ea3 in zend_mm_remove_from_free_list /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_alloc.c:837 #1 0x9309ea3 in _zend_mm_free_int /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_alloc.c:2105 #2 0x9309ea3 in _efree /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_alloc.c:2440 #3 0x93d0748 in _zval_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_variables.h:35 #4 0x93d0748 in i_zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute.h:79 #5 0x93d0748 in _zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:424 #6 0x94fa093 in zend_hash_destroy /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:548 #7 0x946eea4 in _zval_dtor_func /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_variables.c:45 #8 0x93d0748 in _zval_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_variables.h:35 #9 0x93d0748 in i_zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute.h:79 #10 0x93d0748 in _zval_ptr_dtor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:424 #11 0x94fc1b7 in i_zend_hash_bucket_delete /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:182 #12 0x94fc1b7 in zend_hash_bucket_delete /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:192 #13 0x94fc1b7 in zend_hash_graceful_reverse_destroy /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:613 #14 0x93d401d in shutdown_executor /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_execute_API.c:244 #15 0x9475b3a in zend_deactivate /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:960 #16 0x9182057 in php_request_shutdown /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:1883 #17 0x9a9d5c4 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1177 #18 0x8088248 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378 #19 0xb763f645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #20 0x808881b (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x808881b) Case 3: ==3821==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4250800 at pc 0x095058b9 bp 0xbfffa9e8 sp 0xbfffa9d8 READ of size 1 at 0xb4250800 thread T0 #0 0x95058b8 in zend_inline_hash_func /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.h:279 #1 0x95058b8 in zend_hash_find /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_hash.c:846 #2 0x93ca9d5 in zend_get_constant /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_constants.c:279 #3 0x93cbe75 in zend_get_constant_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_constants.c:435 #4 0x952bb27 in zif_defined /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_builtin_functions.c:739 #5 0x9a92c45 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558 #6 0x967ec95 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363 #7 0x982b063 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388 #8 0x948181b in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341 #9 0x9186515 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597 #10 0x9a9fa68 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994 #11 0x8088248 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378 #12 0xb763f645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645) #13 0x808881b (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x808881b)