PHP :: Bug #73208 :: integer overflow in imap

Bug #73208	integer overflow in imap_8bit caused heap corruption
Submitted:	2016-09-30 09:10 UTC	Modified:	2017-02-13 01:11 UTC
From:	minhrau dot vc dot 365 at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	IMAP related
PHP Version:	5.6.27RC1	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-09-30 09:10 UTC] minhrau dot vc dot 365 at gmail dot com

Description:
------------
integer overflow in function imap_8bit will cause string length > int max.

PHP_FUNCTION(imap_8bit)
{
	char *text, *decode;
	int text_len;
	unsigned long newlength;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &text, &text_len) == FAILURE) {
		return;
	}

	decode = (char *) rfc822_8bit((unsigned char *) text, text_len, &newlength); //here produce string with length > int max

	if (decode == NULL) {
		RETURN_FALSE;
	}

	RETVAL_STRINGL(decode, newlength, 1);
	fs_give((void**) &decode);

Test script:
---------------
<?php

ini_set('memory_limit', -1);


$str = str_repeat('ó', 0xffffffff/10); 

var_dump(strlen($str));
$str1 = imap_8bit($str);
var_dump(strlen($str1));
?>

Expected result:
----------------
String length < int max

Actual result:
--------------
negative length value

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-10-03 07:13 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-10-03 07:13 UTC] stas@php.net

The fix is in security repo as ef801b9bf96fb46b0418772a11a9b38f52cd93b4 and in https://gist.github.com/d65c900a4e4e46c5a7ca4e806dfc9e94

please verify

[2016-10-03 07:22 UTC] minhrau dot vc dot 365 at gmail dot com

this patch is good. (y)

[2016-10-11 23:45 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef801b9bf96fb46b0418772a11a9b38f52cd93b4
Log: Fix bug #73208 - another missing length check

[2016-10-11 23:45 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-10-12 23:35 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef801b9bf96fb46b0418772a11a9b38f52cd93b4
Log: Fix bug #73208 - another missing length check

[2016-10-14 02:23 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef801b9bf96fb46b0418772a11a9b38f52cd93b4
Log: Fix bug #73208 - another missing length check

[2016-10-17 10:07 UTC] bwoebi@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ef801b9bf96fb46b0418772a11a9b38f52cd93b4
Log: Fix bug #73208 - another missing length check

[2017-02-13 01:11 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC