PHP :: Sec Bug #72403 :: Integer Overflow in Length of String-typed ZVAL

Sec Bug #72403	Integer Overflow in Length of String-typed ZVAL
Submitted:	2016-06-14 12:24 UTC	Modified:	2016-06-27 19:23 UTC
From:	taoguangchen at icloud dot com	Assigned:	stas (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.5.36	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	taoguangchen at icloud dot com
New email:
PHP Version:		OS:

New Comment:

[2016-06-14 12:24 UTC] taoguangchen at icloud dot com

Description:
------------
Some PHP5 functions can create strings with negative value lengths

rawurlencode
```
<?php

ini_set('memory_limit', -1);
$str = str_repeat("&", 0xffffffff/3);
$str = rawurlencode($str);
var_dump(strlen($str));

?>
```

bin2hex
```
<?php

ini_set('memory_limit', -1);
$str = str_repeat("A", 0xffffffff/4+1);
$str = bin2hex($str);
var_dump(strlen($str));

?>
```
implode (fixed in bug#72275)
```
<?php

ini_set('memory_limit', -1);
$str = str_repeat("A", 0xffffffff/4);
$arr = [$str, $str, $str, $str];
$str = implode($arr);
var_dump(strlen($str));

?>
```
quotemeta
```
<?php

ini_set('memory_limit', -1);
$str = str_repeat("$", 0xffffffff/4+1);
$str = quotemeta($str);
var_dump(strlen($str));

?>
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-16 04:49 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-06-16 04:49 UTC] stas@php.net

Not sure all of these are security issues but since I'm lazy I'll fix all of these in 5.5. with one patch. See 8bb003da20ce4a6d14b37a6de9faa685925da182 in security of https://gist.github.com/b7d11aa951ce3eda74379abaad0db882

Please verify

[2016-06-16 04:50 UTC] stas@php.net

Related To: Bug #72400

[2016-06-16 04:52 UTC] stas@php.net

oops, forgot nl2br. Now 88746d60ab3ad51797612ee62603bb3e08d4aac4 and https://gist.github.com/282fcf1d02dc9583e3633e9d867adcec

[2016-06-16 04:53 UTC] stas@php.net

Related To: Bug #72268

[2016-06-16 06:22 UTC] taoguangchen at icloud dot com

The patch looks OK.

[2016-06-21 06:49 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88746d60ab3ad51797612ee62603bb3e08d4aac4
Log: Fix bug #72400 and #72403 - prevent signed int overflows for string lengths

[2016-06-21 06:53 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-06-21 06:53 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2016-06-21 07:03 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88746d60ab3ad51797612ee62603bb3e08d4aac4
Log: Fix bug #72400 and #72403 - prevent signed int overflows for string lengths

[2016-06-21 07:26 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88746d60ab3ad51797612ee62603bb3e08d4aac4
Log: Fix bug #72400 and #72403 - prevent signed int overflows for string lengths

[2016-06-21 07:27 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88746d60ab3ad51797612ee62603bb3e08d4aac4
Log: Fix bug #72400 and #72403 - prevent signed int overflows for string lengths

[2016-06-22 05:58 UTC] krakjoe@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=88746d60ab3ad51797612ee62603bb3e08d4aac4
Log: Fix bug #72400 and #72403 - prevent signed int overflows for string lengths

[2016-06-23 16:32 UTC] thomas at shadowweb dot org

I guess the fix in PHP_FUNCTION(nl2br) is incorrect:

int          new_length;
[...]
if (UNEXPECTED(new_length > INT_MAX)) {
[...]

This check will never trigger (since new_length is an int, obviously). You should also check str_len + 1 for an overflow against INT_MAX, since this variable may possibly also overflow when issuing the memory allocation:

int             str_len;
[...]
tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1);
[...]

[2016-06-27 12:35 UTC] lampa at fit dot vutbr dot cz

The same applies to a "fix" in url.c, as y is also int.

[2016-06-27 19:17 UTC] stas@php.net

Thanks, looks like I didn't notice those are int and not size_t :( I'll fix this.

However, str_len + 1 can't really overflow since str_len is int, but safe_emalloc accepts size_t, so worst that can happen seems to be str_len + 1 becomes big number and safe_emalloc fails with overflow.

[2016-06-27 19:23 UTC] stas@php.net

I'm not sure which part of url.c you are referring to, as in my code I see:

	register size_t x, y;

[2016-07-07 09:34 UTC] ab@php.net

Related To: Bug #72268

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC