php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70480 php_url_parse_ex() buffer overflow read
Submitted: 2015-09-13 06:34 UTC Modified: 2016-07-25 15:16 UTC
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Closed Package: URL related
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: 2016-6288
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: yohgaki@php.net
New email:
PHP Version: OS:

 

 [2015-09-13 06:34 UTC] yohgaki@php.net
Description:
------------
php_url_prase_ex() read buffer exceeding its limits and segfaults.
PHP function parse_url() is not affected since PHP string is terminated by null char always.

Patch to fix this:

@@ -319,8 +320,9 @@ PHPAPI php_url *php_url_parse_ex(char const *str, size_t length)
 
        nohost:
 
        if ((p = memchr(s, '?', (ue - s)))) {
-               pp = strchr(s, '#');
+               pp = memchr(s, '#', (ue - s));
 
                if (pp && pp < p) {
                        if (pp - s) {


Test script:
---------------
N/A
This bug only appears only when php_url_prase_ex() is called internally.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-13 06:34 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-09-26 08:06 UTC] stas@php.net
-Status: Assigned +Status: Feedback
 [2015-09-26 08:06 UTC] stas@php.net
Could you add an example when the buffer overflow/segfault happens?
 [2015-09-28 09:17 UTC] yohgaki@php.net
For example, when smart_str is used, a code may assume php_url_prase_ex() operates up to "length". The smart_str may not have terminating null char because it could be work in progress string.

However, strchr() looks for terminating null char, but smart_str may not have terminating null char. If this is the case, buffer overread happens and PHP crashes.

Anyway, php_url_prase_ex() is supposed to be binary safe as it has "length" parameter, but it isn't due to the strchr().
 [2015-09-28 20:09 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=629e4da7cc8b174acdeab84969cbfc606a019b31
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2015-09-28 20:09 UTC] stas@php.net
-Status: Feedback +Status: Closed
 [2015-09-29 13:10 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=629e4da7cc8b174acdeab84969cbfc606a019b31
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-08 12:34 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-14 19:20 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-14 19:22 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-25 15:16 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-6288
 [2016-10-17 10:11 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC