php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73011 integer overflow in fgets cause heap corruption
Submitted: 2016-09-04 11:37 UTC Modified: 2017-02-13 01:25 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-04 11:37 UTC] minhrau dot vc dot 365 at gmail dot com 
Description:
------------
 Integer overflow in function fgets lead to heap corruption. Please check comment below:

PHPAPI PHP_FUNCTION(fgets)
{
	zval *res;
	long len = 1024;
	char *buf = NULL;
	int argc = ZEND_NUM_ARGS();
	size_t line_len = 0;
	php_stream *stream;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|l", &res, &len) == FAILURE) {
		RETURN_FALSE;
	}

	PHP_STREAM_TO_ZVAL(stream, &res);

	if (argc == 1) {
		/* ask streams to give us a buffer of an appropriate size */
		buf = php_stream_get_line(stream, NULL, 0, &line_len); //<- return string with size_t length
		if (buf == NULL) {
			goto exit_failed;
		}
	} else if (argc > 1) {
		if (len <= 0) {
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be greater than 0");
			RETURN_FALSE;
		}

		buf = ecalloc(len + 1, sizeof(char));
		if (php_stream_get_line(stream, buf, len, &line_len) == NULL) {
			goto exit_failed;
		}
	}
	//didn't check for len > INT_MAX				
	ZVAL_STRINGL(return_value, buf, line_len, 0);

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$fd = fopen("/opt/lampp/htdocs/a", "r"); //file a with line > max_int
$str1 = fgets($fd);
var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>


Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testfgets.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

int(-2147483523)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a59a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff10a59a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
#1  0x000000000085c99e in zif_chunk_split (ht=3, return_value=0x7ffff7fa14c0, return_value_ptr=0x7ffff7f6c0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009cca94 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009d46c4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009caf87 in execute_ex (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009cb973 in zend_execute (op_array=0x7ffff7fa08d8) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000986e73 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008f7dcf in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000aa9bf5 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000aaac43 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-04 11:39 UTC] minhrau dot vc dot 365 at gmail dot com
-Package: *General Issues +Package: Filesystem function related
 [2016-09-04 11:39 UTC] minhrau dot vc dot 365 at gmail dot com 
change the package name
 [2016-09-05 05:22 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-05 05:22 UTC] stas@php.net 
The fix is in security repo as aec5ab899f9de6cf11ded9c77b649b34f5fcb643 and in https://gist.github.com/ba06b796489e3c50924f2bb3c99012b0

please verify
 [2016-09-05 05:26 UTC] minhrau dot vc dot 365 at gmail dot com 
Patch looks good.

can i request cve for this?
 [2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2017-02-13 01:25 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC