php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72138 Integer Overflow in Length of String-typed ZVAL
Submitted: 2016-05-02 10:08 UTC Modified: 2016-05-10 05:28 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.21 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: taoguangchen at icloud dot com
New email:
PHP Version: OS:

 

 [2016-05-02 10:08 UTC] taoguangchen at icloud dot com 
Description:
------------
```
typedef union _zvalue_value {
	long lval;					/* long value */
	double dval;				/* double value */
	struct {
		char *val;
		int len;
	} str;
	HashTable *ht;				/* hash table value */
	zend_object_value obj;
	} zvalue_value;
```

The len is defined as signed int, integer overflow is possible in some situations, that results in len into a negative value and get a corrupted string-typed ZVAL.

ex:

str_replace/str_ireplace
```
	Z_STRLEN_P(result) = len + (char_count * (to_len - 1));
```

PoC:

```
<?php

ini_set('memory_limit', -1);
$str = str_replace('B', 'AAAAAAAA', str_repeat('B', 0xffffffff/8));
var_dump(strlen($str));

?>
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-10 05:28 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Reproducible crash -PHP Version: 5.5.35 +PHP Version: 5.6.21
 [2016-05-10 05:28 UTC] stas@php.net 
This does not look like security issue - requires special code under unrealistic memory limit.
 [2016-06-14 08:04 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4c968c6ddd2d3eb46838db153264edf5c7b3fefa
Log: Fix bug #72138 - Integer Overflow in Length of String-typed ZVAL
 [2016-06-14 08:04 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-06-22 05:58 UTC] krakjoe@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4c968c6ddd2d3eb46838db153264edf5c7b3fefa
Log: Fix bug #72138 - Integer Overflow in Length of String-typed ZVAL
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC