|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-10-08 07:49 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
Function mbfl_memory_device_output causes PHP 5.6.24 to crash when access an out of boundary address.
int
mbfl_memory_device_output(int c, void *data)
{
mbfl_memory_device *device = (mbfl_memory_device *)data;
if (device->pos >= device->length) {
/* reallocate buffer */
int newlen;
unsigned char *tmp;
newlen = device->length + device->allocsz;
tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
if (tmp == NULL) {
return -1;
}
device->length = newlen;
device->buffer = tmp;
}
device->buffer[device->pos++] = (unsigned char)c; // out of boundary access here
return c;
}
device->pos is declared as type INT.
As you can see in the output of GDB, when value of device->pos is over INTMAX (0x80000001), a sign extension operation is done to assign it value 0xffffffff80000001. Then the access to device->buffer[device->pos] will be an out of boundary access violation and causes PHP to crash.
Test script:
---------------
<?php
ini_set('memory_limit', -1);
$str = str_repeat("Prüfung Prüfung", 0xffffffff/50);
$str1 = mb_encode_mimeheader($str, "ISO-8859-1", "Q");
?>
Expected result:
----------------
No crash
Actual result:
--------------
gdb-peda$ r ../test/test_mime2.php
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/test_mime2.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffe16123070
RBX: 0xa93d73 (<execute_ex>: push rbp)
RCX: 0x80000001
RDX: 0x50 ('P')
RSI: 0x7ffe96123070 ("=?ISO-8859-1?Q?Pr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr?=\r\n =?ISO-8859-1?Q?=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung?=\r\n =?ISO-8859-1?Q?=20Pr=FCfungPr=FCfung=20Pr=FCfu"...)
RDI: 0x50 ('P')
RBP: 0x7fffffffa540 --> 0x7fffffffa570 --> 0x7fffffffa590 --> 0x7fffffffa5c0 --> 0x7fffffffa5e0 --> 0x7fffffffa610 (--> ...)
RSP: 0x7fffffffa510 --> 0x7ffff7fbed80 --> 0x7ffe96123070 ("=?ISO-8859-1?Q?Pr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr?=\r\n =?ISO-8859-1?Q?=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung?=\r\n =?ISO-8859-1?Q?=20Pr=FCfungPr=FCfung=20Pr=FCfu"...)
RIP: 0x756dae (<mbfl_memory_device_output+162>: mov BYTE PTR [rax],dl)
R8 : 0x280
R9 : 0x0
R10: 0x1
R11: 0x7ffff44b6730 --> 0xfffda400fffda12f
R12: 0x439790 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe1b0 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x756da6 <mbfl_memory_device_output+154>: cdqe
0x756da8 <mbfl_memory_device_output+156>: add rax,rsi
0x756dab <mbfl_memory_device_output+159>: mov edx,DWORD PTR [rbp-0x24]
=> 0x756dae <mbfl_memory_device_output+162>: mov BYTE PTR [rax],dl
0x756db0 <mbfl_memory_device_output+164>: mov eax,DWORD PTR [rbp-0x24]
0x756db3 <mbfl_memory_device_output+167>: leave
0x756db4 <mbfl_memory_device_output+168>: ret
0x756db5 <mbfl_memory_device_output2>: push rbp
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa510 --> 0x7ffff7fbed80 --> 0x7ffe96123070 ("=?ISO-8859-1?Q?Pr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr?=\r\n =?ISO-8859-1?Q?=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung?=\r\n =?ISO-8859-1?Q?=20Pr=FCfungPr=FCfung=20Pr=FCfu"...)
0008| 0x7fffffffa518 --> 0x5000741998
0016| 0x7fffffffa520 --> 0x7ffff7fbfdc8 --> 0x7561f7 (<mbfl_filt_conv_common_ctor>: push rbp)
0024| 0x7fffffffa528 --> 0x5000a10bc9
0032| 0x7fffffffa530 --> 0x7ffff7fbed80 --> 0x7ffe96123070 ("=?ISO-8859-1?Q?Pr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr?=\r\n =?ISO-8859-1?Q?=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung?=\r\n =?ISO-8859-1?Q?=20Pr=FCfungPr=FCfung=20Pr=FCfu"...)
0040| 0x7fffffffa538 --> 0x6700000000 ('')
0048| 0x7fffffffa540 --> 0x7fffffffa570 --> 0x7fffffffa590 --> 0x7fffffffa5c0 --> 0x7fffffffa5e0 --> 0x7fffffffa610 (--> ...)
0056| 0x7fffffffa548 --> 0x741998 (<mbfl_filt_conv_qprintenc+790>: test eax,eax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000756dae in mbfl_memory_device_output (c=0x50, data=0x7ffff7fbed80) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:157
157 device->buffer[device->pos++] = (unsigned char)c;
gdb-peda$ p device->pos
$5 = 0x80000001
gdb-peda$ p device->buffer
$6 = (unsigned char *) 0x7ffe96123070 "=?ISO-8859-1?Q?Pr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr?=\r\n =?ISO-8859-1?Q?=FCfungPr=FCfung=20Pr=FCfungPr=FCfung=20Pr=FCfungPr=FCfung?=\r\n =?ISO-8859-1?Q?=20Pr=FCfungPr=FCfung=20Pr=FCfu"...
gdb-peda$ p device->buffer[device->pos]
Cannot access memory at address 0x7ffe16123071
gdb-peda$ p 0x7ffe16123071 - 0x7ffe96123070
$7 = 0xffffffff80000001
gdb-peda$ p 0x7ffe16123071 - 0x7ffe96123070 == device->pos
$8 = 0x1
gdb-peda$ bt
#0 0x0000000000756dae in mbfl_memory_device_output (c=0x50, data=0x7ffff7fbed80) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:157
#1 0x0000000000741998 in mbfl_filt_conv_qprintenc (c=0x0, filter=0x7ffff7fbfdc8) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/filters/mbfilter_qprint.c:133
#2 0x00000000007419f6 in mbfl_filt_conv_qprintenc_flush (filter=0x7ffff7fbfdc8) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/filters/mbfilter_qprint.c:147
#3 0x00000000007530d5 in mime_header_encoder_block_collector (c=0x50, data=0x7ffff7fbed50) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfilter.c:2102
#4 0x0000000000755883 in mbfl_filt_conv_pass (c=0x50, filter=0x7ffff7fbf110) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfilter_pass.c:63
#5 0x00000000007532c5 in mime_header_encoder_collector (c=0x50, data=0x7ffff7fbed50) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfilter.c:2158
#6 0x000000000074da7c in mbfl_filt_conv_utf8_wchar (c=0x50, filter=0x7ffff7fbf1d8) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/filters/mbfilter_utf8.c:118
#7 0x0000000000753c84 in mbfl_mime_header_encode (string=0x7fffffffa740, result=0x7fffffffa760, outcode=mbfl_no_encoding_8859_1, encoding=mbfl_no_encoding_qprint, linefeed=0x1002506 "", indent=0x0)
at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfilter.c:2377
#8 0x000000000075fbd8 in zif_mb_encode_mimeheader (ht=0x3, return_value=0x7ffff7fbecd8, return_value_ptr=0x7ffff7f86208, this_ptr=0x0, return_value_used=0x1) at /home/user/Desktop/php-5.6.26/ext/mbstring/mbstring.c:3381
#9 0x0000000000a9476b in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f862a0) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:558
#10 0x0000000000a9a296 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f862a0) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:2602
#11 0x0000000000a93dd3 in execute_ex (execute_data=0x7ffff7f862a0) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:363
#12 0x0000000000a93e5a in zend_execute (op_array=0x7ffff7fbe430) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:388
#13 0x0000000000a4c498 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/user/Desktop/php-5.6.26/Zend/zend.c:1341
#14 0x00000000009ad757 in php_execute_script (primary_file=0x7fffffffcd80) at /home/user/Desktop/php-5.6.26/main/main.c:2613
#15 0x0000000000b09556 in do_cli (argc=0x2, argv=0x13f5560) at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:994
#16 0x0000000000b0a8b9 in main (argc=0x2, argv=0x13f5560) at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#17 0x00007ffff4342830 in __libc_start_main (main=0xb0a09c <main>, argc=0x2, argv=0x7fffffffe1b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1a8) at ../csu/libc-start.c:291
#18 0x00000000004397b9 in _start ()
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 01:00:02 2025 UTC |
2 other functions mbfl_memory_device_output2 and mbfl_memory_device_output4 also have the same problem. PHP code to trigger crash in mbfl_memory_device_output4: <?php ini_set('memory_limit', -1); $str = str_repeat('ボ', 0x7fffffff/3); $str1 = mb_convert_kana($str, "KVC"); ?> gdb-peda$ r ../test/string/test.php Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x7ffe6d130070 RBX: 0xa93d73 (<execute_ex>: push rbp) RCX: 0x80000001 RDX: 0x0 RSI: 0x7ffeed130070 --> 0x83e39c83e39c83e3 RDI: 0x0 RBP: 0x7fffffffa5f0 --> 0x7fffffffa610 --> 0x7fffffffa6a0 --> 0x7fffffffa770 --> 0x7fffffffa7e0 --> 0x7fffffffa820 (--> ...) RSP: 0x7fffffffa5c0 --> 0x7fffffffa680 --> 0x7ffeed130070 --> 0x83e39c83e39c83e3 RIP: 0x756f7b (<mbfl_memory_device_output4+245>: mov BYTE PTR [rax],dl) R8 : 0x748c39 (<mbfl_filt_tl_jisx0201_jisx0208>: push rbp) R9 : 0x749653 (<mbfl_filt_tl_jisx0201_jisx0208_flush>: push rbp) R10: 0x22 ('"') R11: 0x246 R12: 0x439790 (<_start>: xor ebp,ebp) R13: 0x7fffffffe1a0 --> 0x2 R14: 0x0 R15: 0x0 EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x756f72 <mbfl_memory_device_output4+236>: add rax,rsi 0x756f75 <mbfl_memory_device_output4+239>: mov edx,DWORD PTR [rbp-0x24] 0x756f78 <mbfl_memory_device_output4+242>: sar edx,0x8 => 0x756f7b <mbfl_memory_device_output4+245>: mov BYTE PTR [rax],dl 0x756f7d <mbfl_memory_device_output4+247>: mov rax,QWORD PTR [rbp-0x10] 0x756f81 <mbfl_memory_device_output4+251>: mov rsi,QWORD PTR [rax] 0x756f84 <mbfl_memory_device_output4+254>: mov rax,QWORD PTR [rbp-0x10] 0x756f88 <mbfl_memory_device_output4+258>: mov eax,DWORD PTR [rax+0xc] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa5c0 --> 0x7fffffffa680 --> 0x7ffeed130070 --> 0x83e39c83e39c83e3 0008| 0x7fffffffa5c8 --> 0x749744 (<mbfl_filt_tl_jisx0201_jisx0208_flush+241>: ) 0016| 0x7fffffffa5d0 --> 0x30dcf7fbeed8 0024| 0x7fffffffa5d8 --> 0x7ffff7fbeed8 --> 0x748c13 (<mbfl_filt_tl_jisx0201_jisx0208_init>: push rbp) 0032| 0x7fffffffa5e0 --> 0x7fffffffa680 --> 0x7ffeed130070 --> 0x83e39c83e39c83e3 0040| 0x7fffffffa5e8 --> 0x10900 0048| 0x7fffffffa5f0 --> 0x7fffffffa610 --> 0x7fffffffa6a0 --> 0x7fffffffa770 --> 0x7fffffffa7e0 --> 0x7fffffffa820 (--> ...) 0056| 0x7fffffffa5f8 --> 0x756cac (<mbfl_memory_device_result+63>: mov rax,QWORD PTR [rbp-0x8]) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000756f7b in mbfl_memory_device_output4 (c=0x0, data=0x7fffffffa680) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:207 207 device->buffer[device->pos++] = (unsigned char)((c >> 8) & 0xff); gdb-peda$ bt #0 0x0000000000756f7b in mbfl_memory_device_output4 (c=0x0, data=0x7fffffffa680) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:207 #1 0x0000000000756cac in mbfl_memory_device_result (device=0x7fffffffa680, result=0x7fffffffa750) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:122 #2 0x0000000000752f92 in mbfl_ja_jp_hantozen (string=0x7fffffffa730, result=0x7fffffffa750, mode=0x10900) at /home/user/Desktop/php-5.6.26/ext/mbstring/libmbfl/mbfl/mbfilter.c:2045 #3 0x0000000000760031 in zif_mb_convert_kana (ht=0x2, return_value=0x7ffff7fbd610, return_value_ptr=0x7ffff7f86218, this_ptr=0x0, return_value_used=0x1) at /home/user/Desktop/php-5.6.26/ext/mbstring/mbstring.c:3508 #4 0x0000000000a9476b in zend_do_fcall_common_helper_SPEC ( execute_data=0x7ffff7f862b0) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:558 #5 0x0000000000a9a296 in ZEND_DO_FCALL_SPEC_CONST_HANDLER ( execute_data=0x7ffff7f862b0) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:2602 #6 0x0000000000a93dd3 in execute_ex (execute_data=0x7ffff7f862b0) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:363 #7 0x0000000000a93e5a in zend_execute (op_array=0x7ffff7fbe4e0) at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:388 #8 0x0000000000a4c498 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/user/Desktop/php-5.6.26/Zend/zend.c:1341 #9 0x00000000009ad757 in php_execute_script (primary_file=0x7fffffffcd70) at /home/user/Desktop/php-5.6.26/main/main.c:2613 #10 0x0000000000b09556 in do_cli (argc=0x2, argv=0x13f5560) at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:994 #11 0x0000000000b0a8b9 in main (argc=0x2, argv=0x13f5560) at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378 #12 0x00007ffff4342830 in __libc_start_main (main=0xb0a09c <main>, argc=0x2, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:291 #13 0x00000000004397b9 in _start ()