php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76155 Integer overflow
Submitted: 2018-03-27 23:11 UTC Modified: 2018-04-24 00:43 UTC
From: jmenon at isi dot edu Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.17 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jmenon at isi dot edu
New email:
PHP Version: OS:

 

 [2018-03-27 23:11 UTC] jmenon at isi dot edu 
Description:
------------
There exists a signed comparison happening in the phar_check_str() @ phar.c : 1857 which can be bypassed with a negative value and could lead to a buffer-over-flow on the stack with user controlled input.

This is not an exploitable bug due to a comparison happening in the phar_split_fname() @ phar.c : 2209 which sign extends the int variable to size_t.

We do not believe that this is the intended consequence of the above mentioned comparison and therefore, it might be possible to exploit this vulnerability in a situation where PHP (32 bit) allows generation of strings of size larger than 2^31 bytes.

We had reported this bug via email, but did not receive any response after 5 days which is why we chose to report it here as well.

Test script:
---------------
phar_check_str():

1854 : char test[51];

1857 : if ( ext_len >= 50)
               return FAILURE;

1863 : memcpy(test, ext_str - 1, ext_len + 1);

...
phar_split_fname():

2209 : if (CHECK_NULL_PATH(filename, filename_len)) 
           return FAILURE;
...
zend_API.h

#define CHECK_NULL_PATH(p, l) (strlen(p) != (size_t)(l))

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-23 03:26 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-04-23 03:26 UTC] stas@php.net 
Doesn't seem to have any security implications, but probably worth fixing anyway since it's not nice to convert size_t to int and then forget it can be negative.
 [2018-04-23 04:30 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2018-04-23 04:30 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2018-04-23 04:30 UTC] stas@php.net
-PHP Version: 7.2Git-2018-03-27 (Git) +PHP Version: 7.1.17
 [2018-04-24 00:43 UTC] jmenon at isi dot edu 
For clarity, this bug has security implications: the integer overflow,
if triggered, leads to a buffer overflow which can be leveraged by an
attacker to execute arbitrary code.

It is not clear whether it is possible to trigger the integer overflow
from user input. As I mentioned before, it might be possible to exploit
this vulnerability in a situation where PHP (32 bit) allows generation
of strings of size larger than 2^31 bytes.

Either way, thank you for replying.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Dec 31 14:00:01 2025 UTC