|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-09-11 04:45 UTC] laruence@php.net
-Type: Security
+Type: Bug
[2017-09-11 04:45 UTC] laruence@php.net
[2017-09-21 23:04 UTC] geeknik at protonmail dot ch
[2020-12-18 12:32 UTC] cmb@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: cmb
[2020-12-18 12:32 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
Description: ------------ Triggered during AFL fuzzing. Only tested against 7.1.8 and 7.1.9. If we set USE_ZEND_ALLOC=0 the signed integer overflow remains, but the memory allocation error goes away. Test script: --------------- echo -ne 'o:200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000:"' | UBSAN_OPTIONS=print_stacktrace=1 ~/php-7.1.9/sapi/cli/php -r 'unserialize(file_get_contents("php://stdin"));' Actual result: -------------- /root/php-7.1.9/ext/standard/var_unserializer.c:339:20: runtime error: signed integer overflow: 2000000000000000000 * 10 cannot be represented in type 'long' #0 0x11cef10 in parse_iv2 /root/php-7.1.9/ext/standard/var_unserializer.c:339:20 #1 0x11cef10 in object_common1 /root/php-7.1.9/ext/standard/var_unserializer.c:507 #2 0x11c935c in php_var_unserialize_internal /root/php-7.1.9/ext/standard/var_unserializer.c:1372:13 #3 0x118f3fd in zif_unserialize /root/php-7.1.9/ext/standard/var.c:1114:7 #4 0x16b6789 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/php-7.1.9/Zend/zend_vm_execute.h:628:2 #5 0x156d6f3 in execute_ex /root/php-7.1.9/Zend/zend_vm_execute.h:432:7 #6 0x156e2ef in zend_execute /root/php-7.1.9/Zend/zend_vm_execute.h:474:2 #7 0x13d5845 in zend_eval_stringl /root/php-7.1.9/Zend/zend_execute_API.c:1120:4 #8 0x13d617b in zend_eval_stringl_ex /root/php-7.1.9/Zend/zend_execute_API.c:1161:11 #9 0x13d617b in zend_eval_string_ex /root/php-7.1.9/Zend/zend_execute_API.c:1172 #10 0x17bb258 in do_cli /root/php-7.1.9/sapi/cli/php_cli.c:1024:8 #11 0x17b8f40 in main /root/php-7.1.9/sapi/cli/php_cli.c:1381:18 #12 0x7fd3d03a83f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291 #13 0x43ab99 in _start (/root/php-7.1.9/sapi/cli/php+0x43ab99) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/php-7.1.9/ext/standard/var_unserializer.c:339:20 in Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 2415919104 bytes) in Command line code on line 1