php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72968 imap_rfc822_parse_headers GS Violation
Submitted: 2016-08-29 19:27 UTC Modified: 2017-02-13 01:25 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: IMAP related
PHP Version: 5.6.26 OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-08-29 19:27 UTC] fernando at null-life dot com 
Description:
------------
Exception when processing a long header string, I don't have the additional symbols for imap, unable to debug any further.

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$v1=str_repeat("#", 0xffffffff/6);
imap_rfc822_parse_headers($v1,"2");


Expected result:
----------------
No crash

Actual result:
--------------
0:000:x86> r;!exploitable -v
eax=00000001 ebx=08a13020 ecx=00000007 edx=00000000 esi=00000003 edi=08a6116c
eip=5221468b esp=0712e408 ebp=0712e418 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ucrtbase!abort+0x4b:
5221468b cd29            int     29h

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\KERNEL32.DLL - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
Exception Faulting Address: 0x5221468b
Second Chance Exception Type: STATUS_STACK_BUFFER_OVERRUN (0xC0000409)

Exception Hash (Major/Minor): 0x3eec876b.0x85eecc65

 Hash Usage : Stack Trace:
Major+Minor : ucrtbase!abort+0x4b
Major+Minor : php_imap!rfc822_parse_msg_full+0x14
Major+Minor : php_imap!zif_imap_rfc822_parse_headers+0x62
Major+Minor : php7!execute_ex+0xfb
Major+Minor : php7!zend_execute+0x124
Minor       : php7!zend_execute_scripts+0xe7
Minor       : php7!php_execute_script+0x372
Minor       : php!do_cli+0x3d3
Minor       : php!main+0x2cb
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Excluded    : ntdll_776f0000!RtlInitializeExceptionChain+0x8f
Excluded    : ntdll_776f0000!RtlInitializeExceptionChain+0x5a
Instruction Address: 0x000000005221468b

Description: Stack Buffer Overrun (/GS Exception)
Short Description: GSViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Stack Buffer Overrun (/GS Exception) starting at ucrtbase!abort+0x000000000000004b (Hash=0x3eec876b.0x85eecc65)

An overrun of a protected stack buffer has been detected. This is considered exploitable, and must be fixed.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:31 UTC] stas@php.net
-PHP Version: 7.0.10 +PHP Version: 5.6.26 -Assigned To: +Assigned To: stas
 [2016-09-02 06:31 UTC] stas@php.net 
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2017-02-13 01:25 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 12:01:33 2025 UTC