|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-02 06:23 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-09-02 06:23 UTC] stas@php.net
[2016-09-05 05:28 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-09-13 04:13 UTC] stas@php.net
[2017-02-13 01:29 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Jul 06 17:01:33 2025 UTC |
Description: ------------ There is integer overflow in pg_escape_bytea function, check comment below: PHP_FUNCTION(pg_escape_bytea) { switch (ZEND_NUM_ARGS()) { case 1: if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &from, &from_len) == FAILURE) { return; } pgsql_link = NULL; id = PGG(default_link); break; default: if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &pgsql_link, &from, &from_len) == FAILURE) { return; } break; } to = (char *)PQescapeBytea((unsigned char*)from, from_len, &to_len); //this return string has length > INT_MAX. must check this legnth Test script: --------------- <?php ini_set('memory_limit', -1); $dbconn = pg_connect('dbname=foo'); $str = str_repeat('Ö', 0xffffffff/14); var_dump(strlen($str)); // Escape the binary data $escaped = pg_escape_bytea($str); var_dump(strlen($escaped)); chunk_split($escaped, 11, $escaped); ?> Expected result: ---------------- No crash Actual result: -------------- Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testpg_escape_bytea.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: No such file or directory Is the server running locally and accepting connections on Unix domain socket "/run/postgresql/.s.PGSQL.5432"? in /home/minhrau/phptestcase/testpg_escape_bytea.php on line 5 int(613566756) int(-1227133516) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6 #1 0x000000000085c16f in zif_chunk_split (ht=3, return_value=0x7ffff7fa15d8, return_value_ptr=0x7ffff7f6b0e0, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2221 #2 0x00000000009cc114 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b278) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558 #3 0x00000000009d3d44 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b278) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:2602 #4 0x00000000009ca607 in execute_ex (execute_data=0x7ffff7f6b278) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363 #5 0x00000000009caff3 in zend_execute (op_array=0x7ffff7f9f810) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:388 #6 0x0000000000986563 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341 #7 0x00000000008f746e in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.24/main/main.c:2613 #8 0x0000000000aa9275 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994 #9 0x0000000000aaa2c3 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378 (gdb)