php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73445 malloc negative size parameter
Submitted: 2016-11-02 15:54 UTC Modified: 2017-02-13 00:58 UTC
From: ahihibughunter at gmail dot com Assigned: stas (profile)
Status: Closed Package: Zip Related
PHP Version: 5.6.28RC1 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-02 15:54 UTC] ahihibughunter at gmail dot com
Description:
------------
malloc function receives a negative size value in method addFromString

static ZIPARCHIVE_METHOD(addFromString)
{
	struct zip *intern;

...
        ze_obj->buffers[pos] = (char *)emalloc(buffer_len + 1);<- using with out check it value
	memcpy(ze_obj->buffers[pos], buffer, buffer_len + 1); 

	zs = zip_source_buffer(intern, ze_obj->buffers[pos], buffer_len, 0);
....
}

Test script:
---------------
<?php
ini_set('memory_limit', -1);
$v1=str_repeat("A", 0x7fffffff);

$zip = new ZipArchive;
$res = $zip->open('test.zip', ZipArchive::CREATE);
if ($res === TRUE) {
    $zip->addFromString('test.txt', $v1);
    $zip->close();
    echo 'ok';
} else {
    echo 'failed';
}
?>


Expected result:
----------------
No crash


Actual result:
--------------
gdb ~/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php
(gdb) r test.php 
Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Fatal error: Out of memory (allocated 2148007936) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c:1925 (tried to allocate 18446744071562067968 bytes) in /home/zx/zx/php/emalloc/test.php on line 8

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a84ff9 in zend_mm_check_ptr (heap=0x14a9ad0, ptr=0xd573485a5a5a5a5a, silent=1, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:1384
1384		if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt
#0  0x0000000000a84ff9 in zend_mm_check_ptr (heap=0x14a9ad0, ptr=0xd573485a5a5a5a5a, silent=1, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:1384
#1  0x0000000000a86c60 in _zend_mm_free_int (heap=0x14a9ad0, p=0xd573485a5a5a5a5a, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:2068
#2  0x0000000000a88271 in _efree (ptr=0xd573485a5a5a5a5a, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:2440
#3  0x0000000000990e81 in php_zip_object_free_storage (object=0x7ffff7fb7868) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c:1105
#4  0x0000000000b034ca in zend_objects_store_free_object_storage (objects=0x14751a0 <executor_globals+928>) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_objects_API.c:97
#5  0x0000000000aabc3b in shutdown_executor () at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_execute_API.c:290
#6  0x0000000000ac276d in zend_deactivate () at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend.c:960
#7  0x0000000000a23771 in php_request_shutdown (dummy=0x0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/main/main.c:1899
#8  0x0000000000b81532 in do_cli (argc=2, argv=0x147a5a0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1181
#9  0x0000000000b81dc4 in main (argc=2, argv=0x147a5a0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1382
(gdb)print p->info._size
Cannot access memory at address 0x24d9fd5a5a5a5a12



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 05:58 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 05:58 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 00:58 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Mon Jan 13 22:01:29 2025 UTC