php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72876 integer overflow in str_pad caused heap corruption
Submitted: 2016-08-18 03:59 UTC Modified: 2017-02-13 01:31 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-18 03:59 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
There is integer overflow in str_pad function, check comment below:

PHP_FUNCTION(str_pad)
{
...
	int	   i, left_pad=0, right_pad=0;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|sl", &input, &input_len, &pad_length,
																  &pad_str_val, &pad_str_len, &pad_type_val) == FAILURE) {
		return;
	}

...

	num_pad_chars = pad_length - input_len;
...
	result = (char *)emalloc(input_len + num_pad_chars + 1);

...

	/* First we pad on the left. */
	for (i = 0; i < left_pad; i++)
		result[result_len++] = pad_str_val[i % pad_str_len];

	/* Then we copy the input string. */
	memcpy(result + result_len, input, input_len);
	result_len += input_len;

	/* Finally, we pad on the right. */
	for (i = 0; i < right_pad; i++)
		result[result_len++] = pad_str_val[i % pad_str_len];  //result_len will be negative, lead to heap corruption

Test script:
---------------
<?php

ini_set('memory_limit', -1);
$str = str_repeat('a', 0xffffffff/2);
var_dump(strlen($str));

$str1 = str_pad($str, 2300000000, "="); //crash

?>


Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php teststr_pad_negative.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483647)

Program received signal SIGSEGV, Segmentation fault.
0x00000000007ffd01 in zif_str_pad (ht=3, return_value=0x7ffff7fa0cf0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:5333
5333			result[result_len++] = pad_str_val[i % pad_str_len];
(gdb) b string.c:5306
Breakpoint 2 at 0x7ffc11: file /home/minhrau/PHP-5.6.24/ext/standard/string.c, line 5306.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php teststr_pad_negative.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483647)

Breakpoint 2, zif_str_pad (ht=3, return_value=0x7ffff7fa0cf0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:5306
5306		switch (pad_type_val) {
(gdb) p num_pad_chars 
$1 = 152516353
(gdb) p input_len
$2 = 2147483647
(gdb) p input_len + num_pad_chars + 1
$3 = 2300000001
(gdb) b string.c:5333
Breakpoint 3 at 0x7ffcd6: file /home/minhrau/PHP-5.6.24/ext/standard/string.c, line 5333.
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x00000000007ffd01 in zif_str_pad (ht=3, return_value=0x7ffff7fa0cf0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:5333
5333			result[result_len++] = pad_str_val[i % pad_str_len];
(gdb) p result_len
$5 = -2147483647
(gdb) p right_pad
$7 = 152516353

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:23 UTC] stas@php.net
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-05 05:29 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.
 [2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:13 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:31 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Wed Jul 09 13:01:36 2025 UTC