php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72875 integer overflow in php_ldap_do_escape caused heap corruption
Submitted: 2016-08-18 03:56 UTC Modified: 2017-02-13 01:32 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: LDAP related
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-18 03:56 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
static void php_ldap_do_escape(const zend_bool *map, const char *value, size_t valuelen, char **result, size_t *resultlen)
{
	char hex[] = "0123456789abcdef";
	int i, p = 0;
	size_t len = 0;

	for (i = 0; i < valuelen; i++) {
		len += (map[(unsigned char) value[i]]) ? 3 : 1;
	}

	(*result) = (char *) safe_emalloc(1, len, 1);
	(*resultlen) = len;

	for (i = 0; i < valuelen; i++) {
		unsigned char v = (unsigned char) value[i];

		if (map[v]) {
			(*result)[p++] = '\\';
			(*result)[p++] = hex[v >> 4];  //p = -2147483647 will lead to head corruption
			(*result)[p++] = hex[v & 0x0f];
		} else {
			(*result)[p++] = v;
		}
	}

	(*result)[p++] = '\0';
}

Test script:
---------------
<?php

ini_set('memory_limit', -1);
$str = str_repeat('a', 0xffffffff/6+7);

var_dump(strlen($str));

$str1 = ldap_escape($str); //crash
?>

Expected result:
----------------
No crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testldap_escape_negative.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(715827889)

Program received signal SIGSEGV, Segmentation fault.
0x00000000006b5fcf in php_ldap_do_escape (map=0x7fffffffa720 '\001' <repeats 200 times>..., value=0x7fffc54bc030 'a' <repeats 200 times>..., valuelen=715827889, result=0x7fffffffa840, resultlen=0x7fffffffa830) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2658
2658				(*result)[p++] = hex[v & 0x0f];
(gdb) bt
#0  0x00000000006b5fcf in php_ldap_do_escape (map=0x7fffffffa720 '\001' <repeats 200 times>..., value=0x7fffc54bc030 'a' <repeats 200 times>..., valuelen=715827889, result=0x7fffffffa840, resultlen=0x7fffffffa830) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2658
#1  0x00000000006b6241 in zif_ldap_escape (ht=1, return_value=0x7ffff7f9ef68, return_value_ptr=0x7ffff7f6b140, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2711
#2  0x00000000009652bf in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x000000000096ceef in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:2602
#4  0x00000000009637b2 in execute_ex (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#5  0x000000000096419e in zend_execute (op_array=0x7ffff7f9f838) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:388
#6  0x000000000091f70e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#7  0x0000000000890619 in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#8  0x0000000000a42420 in do_cli (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#9  0x0000000000a4346e in main (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb) p p
$8 = -2147483647

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:23 UTC] stas@php.net
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-05 05:29 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.
 [2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:13 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:32 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC