PHP :: Bug #75575 :: Theoretical pointer wrapping and access-out-of-bounds in non-standard Zend code

Bug #75575	Theoretical pointer wrapping and access-out-of-bounds in non-standard Zend code
Submitted:	2017-11-26 23:14 UTC	Modified:	-
From:	plebbyastian at gmail dot com	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	Irrelevant	OS:	Whatever
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	plebbyastian at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-11-26 23:14 UTC] plebbyastian at gmail dot com

Description:
------------
The subtraction at <https://github.com/php/php-src/blob/26f8fc833b9668a8b8e14ecd7d94930146019adb/Zend/zend_operators.c#L3059> has no guard to ensure pointer wrapping (which itself is undefined behaviour) doesn't occur.

There's an identical unguarded pointer subtraction at <https://github.com/php/php-src/blob/26f8fc833b9668a8b8e14ecd7d94930146019adb/Zend/zend_operators.c#L3093>.

Successful exploitation would result in high ranges of memory becoming accessible to the attacker, with similar usecases to heartbleed.

Remember this when you try to argue for use of non-standard, reinvented wheels. Testing incurs a price. As does code complexity. To put my "standardisation" rants into perspective, here's how C11/6.5.6p8 defines PHP:

> ... If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined. ...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-11-28 22:13 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5dc6392d257fa8a4c3a8938e9e0e36ae44a6834e
Log: Fixed bug #75575

[2017-11-28 22:13 UTC] nikic@php.net

-Status: Open +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jun 01 15:01:27 2025 UTC