php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71750 Multiple Heap Overflows in php_raw_url_encode/php_url_encode
Submitted: 2016-03-09 05:27 UTC Modified: 2016-03-21 06:10 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.0.4 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2016-03-09 05:27 UTC] taoguangchen at icloud dot com 
Description:
------------
Vulnerable code:
```
PHPAPI zend_string *php_raw_url_encode(char const *s, size_t len)
{
	...
	str = zend_string_alloc(3 * len, 0);
	for (x = 0, y = 0; len--; x++, y++) {
		ZSTR_VAL(str)[y] = (unsigned char) s[x];
...
PHPAPI zend_string *php_url_encode(char const *s, size_t len)
{
  ...
	start = zend_string_alloc(3 * len, 0);
```

PoC:
```
<?php
//php_raw_url_encode
ini_set('memory_limit', -1);
rawurlencode(str_repeat('A', 0xffffffff/3));
```

```
<?php
//php_url_encode
ini_set('memory_limit', -1);
setcookie('hi', str_repeat('A', 0xffffffff/3));
```

Fix:
uses zend_string_safe_alloc instead

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-21 05:38 UTC] stas@php.net 
This also does not look like security issue, requires specially crafted code.
 [2016-03-21 06:10 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-03-21 06:11 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4517b2a5e3141393c1c4f6fca51e1c325e91251
Log: Fix bug #71750: use zend_string_safe_alloc for calculated allocations
 [2016-03-21 06:11 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:32 UTC] davey@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4517b2a5e3141393c1c4f6fca51e1c325e91251
Log: Fix bug #71750: use zend_string_safe_alloc for calculated allocations
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC