PHP :: Bug #72895 :: integer overflow in preg

Bug #72895	integer overflow in preg_quote caused heap corruption
Submitted:	2016-08-19 07:36 UTC	Modified:	2017-02-13 01:29 UTC
From:	minhrau dot vc dot 365 at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	PCRE related
PHP Version:	5.6.25	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-08-19 07:36 UTC] minhrau dot vc dot 365 at gmail dot com

Description:
------------
Integer overflow in preg_quote lead to heap corruption:


static PHP_FUNCTION(preg_quote)
{
...
	out_str = safe_emalloc(4, in_str_len, 1); //// the result of out_str is the string with length > INT_MAX

...


Test script:
---------------
<?php

ini_set('memory_limit', -1);


$str = str_repeat('/', 0xffffffff/4)."/4";

var_dump(strlen($str));
$str1 = preg_quote($str, '/');

var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>

Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php testpreg_quote.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(1073741825)
int(-2147483647)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x000000000085c3b3 in zif_chunk_split (ht=3, return_value=0x7ffff7fa0d00, return_value_ptr=0x7ffff7f6b0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009cc4a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b250) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009d40d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b250) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009ca998 in execute_ex (execute_data=0x7ffff7f6b250) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009cb384 in zend_execute (op_array=0x7ffff7f9f800) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000986884 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008f77e0 in php_execute_script (primary_file=0x7fffffffe2b0) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000aa9606 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000aaa654 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-02 06:24 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-02 06:24 UTC] stas@php.net

The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify

[2016-09-05 05:28 UTC] minhrau dot vc dot 365 at gmail dot com

Patch looks good.

[2016-09-13 04:12 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:12 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2017-02-13 01:29 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jul 04 14:01:35 2025 UTC