PHP :: Bug #72877 :: heap overflow in substr

Bug #72877	heap overflow in substr_replace
Submitted:	2016-08-18 05:23 UTC	Modified:	2017-02-13 01:30 UTC
From:	minhrau dot vc dot 365 at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.6.24	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-08-18 05:23 UTC] minhrau dot vc dot 365 at gmail dot com

Description:
------------
<?php

ini_set('memory_limit', -1);
$str = str_repeat('a', 0xffffffff/2);

var_dump(strlen($str));
$str1 = substr_replace($str, 'bob', strlen($str));
?>


Test script:
---------------
<?php

ini_set('memory_limit', -1);
$str = str_repeat('a', 0xffffffff/2);

var_dump(strlen($str));
$str1 = substr_replace($str, 'bob', strlen($str));
?>

Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testsubstr_replace.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483647)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a2fee in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff10a2fee in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x00000000007f67d2 in zif_substr_replace (ht=3, return_value=0x7ffff7fa00d0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2422
#2  0x00000000009652bf in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b258) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x000000000096ceef in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b258) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:2602
#4  0x00000000009637b2 in execute_ex (execute_data=0x7ffff7f6b258) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#5  0x000000000096419e in zend_execute (op_array=0x7ffff7f9f7f0) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:388
#6  0x000000000091f70e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#7  0x0000000000890619 in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#8  0x0000000000a42420 in do_cli (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#9  0x0000000000a4346e in main (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb) p f
No symbol "f" in current context.
(gdb) b string.c:2422
Breakpoint 1 at 0x7f67b0: file /home/minhrau/PHP-5.6.24/ext/standard/string.c, line 2422.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testsubstr_replace.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483647)

Breakpoint 1, zif_substr_replace (ht=3, return_value=0x7ffff7fa00d0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2422
2422				memcpy(result, Z_STRVAL_PP(str), f);
(gdb) p f
$1 = 2147483647
(gdb) p result_len
$2 = 3

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-19 07:33 UTC] minhrau dot vc dot 365 at gmail dot com

Heap corruption in substr_replace due the integer overflow

PHP_FUNCTION(substr_replace)
{
	zval **str;
	zval **from;
	zval **len = NULL;
	zval **repl;
	char *result;
	int result_len;
	int l = 0;
	int f;
	int argc = ZEND_NUM_ARGS();

	HashPosition pos_str, pos_from, pos_repl, pos_len;
	zval **tmp_str = NULL, **tmp_from = NULL, **tmp_repl = NULL, **tmp_len= NULL;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZZ|Z", &str, &repl, &from, &len) == FAILURE) {
		return;
	}
...
			result_len = Z_STRLEN_PP(str) - l + repl_len; // result_len = 3
			result = emalloc(result_len + 1);

			memcpy(result, Z_STRVAL_PP(str), f); //but here f = 2147483647 -> cause the corruption
...

[2016-09-02 06:23 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-02 06:23 UTC] stas@php.net

The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify

[2016-09-05 05:29 UTC] minhrau dot vc dot 365 at gmail dot com

Patch looks good.

[2016-09-13 04:13 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:13 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2017-02-13 01:30 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Sep 28 08:01:27 2024 UTC