PHP :: Bug #73187 :: transliterator_create_from

Bug #73187

transliterator_create_from_rules stack overflow

Submitted:

2016-09-27 16:28 UTC

Modified:

2018-05-15 16:18 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

fernando at null-life dot com

Assigned:

Status:

Wont fix

Package:

intl (PECL)

PHP Version:

7.0.11

OS:

Windows

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-09-27 16:28 UTC] fernando at null-life dot com

Description:
------------
Attached code causes stack overflow on ICU code

Test script:
---------------
<?php

$v1=str_repeat("(", 0xffffff+1);
transliterator_create_from_rules($v1);


Expected result:
----------------
No crash

Actual result:
--------------
Exception Hash (Major/Minor): 0x2b73a693.0x7c0fb53c

 Hash Usage : Stack Trace:
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x2174
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Instruction Address: 0x000000006beb33c4

Description: Stack Exhaustion
Short Description: StackExhaustion
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Stack Exhaustion starting at icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x0000000000002174 (Hash=0x2b73a693.0x7c0fb53c)

Stack Exhaustion is considered to be probably not exploitable.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-27 17:22 UTC] stas@php.net

This is probably because ICU parser is recursive. We can't do much about it and most probably ICU won't fix it either...

[2018-05-15 16:18 UTC] ab@php.net

-Status: Open +Status: Wont fix

[2018-05-15 16:18 UTC] ab@php.net

As per Stas comment, wont fix.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 18:01:29 2024 UTC