|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2018-12-30 19:44 UTC] hanno at hboeck dot de
Description:
------------
The sample code below will cause a global out of bounds buffer read.
This seems to happen due to a bad base64 input.
It seems that in ext/xmlrpc/libxmlrpc/base64.c there's a second base64 implementation in the PHP code. I was quite surprised by this and it's probably not desirable and should use the "normal" base64 code in PHP that's probably better tested.
ASAN error:
==27771==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000030ee593 at pc 0x0000015d3c46 bp 0x7ffcf5d8fb70 sp 0x7ffcf5d8fb68
READ of size 1 at 0x0000030ee593 thread T0
#0 0x15d3c45 in base64_decode_xmlrpc /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/base64.c:172:10
#1 0x15d9bda in xml_element_to_XMLRPC_REQUEST_worker /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:139:10
#2 0x15d9e8c in xml_element_to_XMLRPC_REQUEST /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:181:45
#3 0x15e4502 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/xmlrpc.c:823:13
#4 0x15c5b5b in decode_request_worker /f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c:763:13
#5 0x15c5b5b in zif_xmlrpc_decode /f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c:818
#6 0x1bc89b8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.13/Zend/zend_vm_execute.h:617:2
#7 0x1981d2c in execute_ex /f/php/php-7.2.13/Zend/zend_vm_execute.h:59739:7
#8 0x1982615 in zend_execute /f/php/php-7.2.13/Zend/zend_vm_execute.h:63776:2
#9 0x17bef41 in zend_eval_stringl /f/php/php-7.2.13/Zend/zend_execute_API.c:1083:4
#10 0x17bf87f in zend_eval_stringl_ex /f/php/php-7.2.13/Zend/zend_execute_API.c:1124:11
#11 0x17bf87f in zend_eval_string_ex /f/php/php-7.2.13/Zend/zend_execute_API.c:1135
#12 0x1d024b6 in do_cli /f/php/php-7.2.13/sapi/cli/php_cli.c:1044:8
#13 0x1cffbd2 in main /f/php/php-7.2.13/sapi/cli/php_cli.c:1406:18
#14 0x7fd1a18f94ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
#15 0x423dc9 in _start (/r/php/php+0x423dc9)
0x0000030ee593 is located 45 bytes to the left of global variable 'get_type_str_mapping.first' defined in '/f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c' (0x30ee5c0) of size 1
'get_type_str_mapping.first' is ascii string ''
0x0000030ee593 is located 11 bytes to the right of global variable 'str_mapping' defined in '/f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c:1209:21' (0x30ee520) of size 104
Test script:
---------------
$a=xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="));
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue Apr 16 05:01:29 2024 UTC |
The problem may be in this code: for (i = 0; i < 4; i++) { int c; c = *(source++); ... if (dtable[c] & 0x80) { ... So c is declared as signed int (converted from signed char), but used as an array index. This leads to bad access to any value of c which is interpreted as a negative (which shouldn't happen in proper base64 but...). So making it unsigned should fix it.