|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-06-16 05:00 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-06-16 05:00 UTC] stas@php.net
[2016-06-21 06:49 UTC] stas@php.net
[2016-06-21 06:49 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-06-21 07:03 UTC] stas@php.net
[2016-06-21 07:26 UTC] stas@php.net
[2016-06-21 07:27 UTC] stas@php.net
[2016-06-22 05:58 UTC] krakjoe@php.net
[2016-06-23 12:50 UTC] kaplan@php.net
-CVE-ID:
+CVE-ID: 2016-5770
[2016-06-25 02:13 UTC] seth dot arnold at canonical dot com
[2016-06-27 00:14 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Oct 30 22:00:01 2025 UTC |
Description: ------------ int/size_t confusion in SplFileObject::fread this bug similar with bug#72114 ``` SPL_METHOD(SplFileObject, fread) { spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC); long length = 0; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &length) == FAILURE) { return; } if (length <= 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be greater than 0"); RETURN_FALSE; } Z_STRVAL_P(return_value) = emalloc(length + 1); Z_STRLEN_P(return_value) = php_stream_read(intern->u.file.stream, Z_STRVAL_P(return_value), length); /* needed because recv/read/gzread doesnt put a null at the end*/ Z_STRVAL_P(return_value)[Z_STRLEN_P(return_value)] = 0; Z_TYPE_P(return_value) = IS_STRING; } ``` PoC: ``` <?php ini_set('memory_limit', -1); $filename = '/dev/zero'; $file = new SplFileObject($filename, 'r'); $file->fread(2147483648); ?> ``` Fix: ``` RETURN_FALSE; } + if (length > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX); + RETURN_FALSE; + } Z_STRVAL_P(return_value) = emalloc(length + 1); ```