PHP :: Sec Bug #71798 :: Integer Overflow in php_raw_url

Sec Bug #71798	Integer Overflow in php_raw_url_encode
Submitted:	2016-03-11 11:37 UTC	Modified:	2016-04-25 07:00 UTC
From:	taoguangchen at icloud dot com	Assigned:	stas (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.5.33	OS:
Private report:	No	CVE-ID:	2016-4070

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	taoguangchen at icloud dot com
New email:
PHP Version:		OS:

New Comment:

[2016-03-11 11:37 UTC] taoguangchen at icloud dot com

Description:
------------
```
PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
{
	register int x, y;
	unsigned char *str;

	str = (unsigned char *) safe_emalloc(3, len, 1);
	for (x = 0, y = 0; len--; x++, y++) {
	str[y] = (unsigned char) s[x];
```

PoC:
```
<?php

ini_set('memory_limit', -1);
rawurlencode(str_repeat('&', 0xffffffff/3));

?>
```

Fix:
```
-	register int x, y;
+	register unsigned int x, y;
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-03-11 11:48 UTC] taoguangchen at icloud dot com

Better Fix:
```
-	register int x, y;
+	register size_t x, y;

```

[2016-03-27 21:23 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-03-27 21:23 UTC] stas@php.net

In security repo as 95433e8e339dbb6b5d5541473c1661db6ba2c451

[2016-03-27 21:25 UTC] stas@php.net

Not sure if this qualifies as security issue (probably not) but since we release new version in 2 days anyway I'll just fix it as one.

[2016-03-29 06:55 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451
Log: Fix bug #71798 - Integer Overflow in php_raw_url_encode

[2016-03-29 06:55 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-03-29 09:30 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451
Log: Fix bug #71798 - Integer Overflow in php_raw_url_encode

[2016-04-25 06:15 UTC] henri at nerv dot fi

Please use CVE-2016-4070 as discussed in http://www.openwall.com/lists/oss-security/2016/04/11/7

[2016-04-25 07:00 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2016-4070

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 10:01:29 2024 UTC