php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70480 php_url_parse_ex() buffer overflow read
Submitted: 2015-09-13 06:34 UTC Modified: 2016-07-25 15:16 UTC
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Closed Package: URL related
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: 2016-6288
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yohgaki@php.net
New email:
PHP Version: OS:

 

 [2015-09-13 06:34 UTC] yohgaki@php.net 
Description:
------------
php_url_prase_ex() read buffer exceeding its limits and segfaults.
PHP function parse_url() is not affected since PHP string is terminated by null char always.

Patch to fix this:

@@ -319,8 +320,9 @@ PHPAPI php_url *php_url_parse_ex(char const *str, size_t length)
 
        nohost:
 
        if ((p = memchr(s, '?', (ue - s)))) {
-               pp = strchr(s, '#');
+               pp = memchr(s, '#', (ue - s));
 
                if (pp && pp < p) {
                        if (pp - s) {


Test script:
---------------
N/A
This bug only appears only when php_url_prase_ex() is called internally.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-13 06:34 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-09-26 08:06 UTC] stas@php.net
-Status: Assigned +Status: Feedback
 [2015-09-26 08:06 UTC] stas@php.net 
Could you add an example when the buffer overflow/segfault happens?
 [2015-09-28 09:17 UTC] yohgaki@php.net 
For example, when smart_str is used, a code may assume php_url_prase_ex() operates up to "length". The smart_str may not have terminating null char because it could be work in progress string.

However, strchr() looks for terminating null char, but smart_str may not have terminating null char. If this is the case, buffer overread happens and PHP crashes.

Anyway, php_url_prase_ex() is supposed to be binary safe as it has "length" parameter, but it isn't due to the strchr().
 [2015-09-28 20:09 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=629e4da7cc8b174acdeab84969cbfc606a019b31
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2015-09-28 20:09 UTC] stas@php.net
-Status: Feedback +Status: Closed
 [2015-09-29 13:10 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=629e4da7cc8b174acdeab84969cbfc606a019b31
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-08 12:34 UTC] jpauli@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-14 19:20 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-14 19:22 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 [2016-07-25 15:16 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-6288
 [2016-10-17 10:11 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2
Log: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 07:01:29 2024 UTC