php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #71906 AddressSanitizer: negative-size-param (-1) in mbfl_strcut
Submitted: 2016-03-26 23:29 UTC Modified: 2016-04-25 17:06 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.5.33 OS:
Private report: No CVE-ID: 2016-4073
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-03-26 23:29 UTC] fernando at null-life dot com 
Description:
------------
1. Compile PHP with ASAN enabled.
2. Run attached test case on 32 bits.

php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2858
2858            if (len < 0) {
(gdb) print len
$64 = 2147483647 
This value will later set the sz value to -1, and that value is used inside memcpy.

php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1542
1560    sz = end - start;
...
1568    memcpy(w, start, sz);



Test script:
---------------
<?php

$var1="AAAA";
$var2=1;
$var3=2147483647; //max int


mb_strcut($var1, $var2, $var3);
 


Expected result:
----------------
Not crash

Actual result:
--------------
=================================================================
==415==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0xb7ae5b04 in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ab04)
    #1 0xb7ae5c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
    #2 0x87cb167 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:53
    #3 0x87cb167 in mbfl_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1568
    #4 0x87fcb5e in zif_mb_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2869
    #5 0x9a3a625 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
    #6 0x9626675 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
    #7 0x97d2a43 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
    #8 0x94291fb in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341
    #9 0x912def5 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597
    #10 0x9a47448 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994
    #11 0x8087418 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
    #12 0xb7640645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #13 0x80879eb  (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x80879eb)

0xb3017411 is located 97297 bytes inside of 1048576-byte region [0xb2fff800,0xb30ff800)
allocated by thread T0 here:
    #0 0xb7af1d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
    #1 0x954157e in zend_interned_strings_init /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_string.c:48

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-28 08:22 UTC] stas@php.net
-PHP Version: 5.6.19 +PHP Version: 5.5.33
 [2016-03-28 08:22 UTC] stas@php.net 
This should fix it: https://gist.github.com/smalyshev/d8355c96a657cc5dba70

Please verify.
 [2016-03-28 08:27 UTC] stas@php.net 
In security repo as 64f42c73efc58e88671ad76b6b6bc8e2b62713e1
 [2016-03-29 00:29 UTC] fernando at null-life dot com 
Patch works, I don't get any warning now
 [2016-03-29 06:47 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-03-29 06:55 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8dd10508bd66b6eefb18d319577b443fb1e0c55
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-03-29 06:55 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-03-29 06:55 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-03-29 09:30 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8dd10508bd66b6eefb18d319577b443fb1e0c55
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-03-29 09:30 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1
Log: Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
 [2016-04-25 17:06 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4073
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 07:01:29 2024 UTC