|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2014-06-08 10:39 UTC] mikispag at gmail dot com
Description:
------------
// Any string > 255 characters passed as the first parameter of locale_get_display_name
// will cause a buffer overflow in ICU library (libicuuc.so)
//
// #0 0x00007ffff3d0c425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
// #1 0x00007ffff3d0fb8b in __GI_abort () at abort.c:91
// #2 0x00007ffff3d4a39e in __libc_message (do_abort=2, fmt=0x7ffff3e5257f "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
// #3 0x00007ffff3de0f47 in __GI___fortify_fail (msg=0x7ffff3e52567 "stack smashing detected") at fortify_fail.c:32
// #4 0x00007ffff3de0f10 in __stack_chk_fail () at stack_chk_fail.c:29
// #5 0x00007ffff4accdac in ures_getByKeyWithFallback_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48
// #6 0x00007ffff4acce03 in ures_getStringByKeyWithFallback_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48
// #7 0x00007ffff4adda09 in uloc_getTableStringWithFallback_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48
// #8 0x00007ffff4adae1b in ?? () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48
// #9 0x00007ffff4adb037 in ?? () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48
// #10 0x00007ffff4adb0bb in uloc_getDisplayLanguage_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48
// #11 0x00007ffff4adbf45 in uloc_getDisplayName_48 () from /usr/lib/x86_64-linux-gnu/libicuuc.so.48
// #12 0x00000000007041d2 in get_icu_disp_value_src_php (tag_name=0xef83ad "name", ht=1, return_value=0x7ffff7fb2140, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
// at /tmp/php-5.5.12/ext/intl/locale/locale_methods.c:542
// #13 0x00000000007044c0 in zif_locale_get_display_name (ht=1, return_value=0x7ffff7fb2140, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
// at /tmp/php-5.5.12/ext/intl/locale/locale_methods.c:602
// #14 0x0000000000b36b2f in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f7a168) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:550
// #15 0x0000000000b3b367 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f7a168) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:2329
// #16 0x0000000000b3623d in execute_ex (execute_data=0x7ffff7f7a168) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:363
// #17 0x0000000000b362c2 in zend_execute (op_array=0x7ffff7fb3048) at /tmp/php-5.5.12/Zend/zend_vm_execute.h:388
// #18 0x0000000000af6d7d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /tmp/php-5.5.12/Zend/zend.c:1316
// #19 0x0000000000a5ecbd in php_execute_script (primary_file=0x7fffffffd090) at /tmp/php-5.5.12/main/main.c:2506
// #20 0x0000000000ba453f in do_cli (argc=2, argv=0x14141d0) at /tmp/php-5.5.12/sapi/cli/php_cli.c:994
// #21 0x0000000000ba57d4 in main (argc=2, argv=0x14141d0) at /tmp/php-5.5.12/sapi/cli/php_cli.c:1378
Test script:
---------------
locale_get_display_name(str_repeat('*', 256));
Patchesbug67397-patch (last revision 2014-06-08 20:45 UTC by stas@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 21:00:01 2025 UTC |
U_CAPI UResourceBundle* U_EXPORT2 ures_getByKeyWithFallback(const UResourceBundle *resB, const char* inKey, UResourceBundle *fillIn, UErrorCode *status) { ... char path[256]; ... if (len > 0) { uprv_memcpy(path, resPath, len); } uprv_strcpy(path+len, inKey); // inKey is user-supplied so that will end badly ... ... Here is a trivial PoC that will trigger the bug: ------------------------------------------------------------------------------------------------------------------- #include "unicode/utypes.h" #include "unicode/uenum.h" #define RESLEN 512 // COMPILE WITH: // gcc -o funicu funicu.c `pkg-config --libs --cflags icu-uc icu-i18n icu-le icu-lx icu-io` int main(void) { char locale[512]; UChar *result; UErrorCode *err; int32_t rc; int i; result = malloc(RESLEN); err = malloc(sizeof(UErrorCode)); memset(locale, '*', sizeof(locale)); locale[ sizeof(locale)-1 ] = '\x00'; rc = uloc_getDisplayName( locale, // const localeID "en_US", // const inLocaleID result, // result RESLEN, // maxresultSize err ); return 0; } ------------------------------------------------------------------------------------------------------------------- ures_getByKeyWithFallback() is an internal function used by many others, including but not limited to uloc_getDisplayName(). I have already reported this to libicu developers.