|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchessimplestring-size_t (last revision 2016-10-19 15:03 UTC by krakjoe@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-10-19 15:03 UTC] krakjoe@php.net
[2016-10-19 15:57 UTC] nguyenluan dot vnn at gmail dot com
[2016-10-20 01:05 UTC] stas@php.net
-Status: Open
+Status: Feedback
[2016-10-20 01:05 UTC] stas@php.net
[2016-10-20 03:44 UTC] nguyenluan dot vnn at gmail dot com
-Status: Feedback
+Status: Open
[2016-10-20 03:44 UTC] nguyenluan dot vnn at gmail dot com
[2016-10-20 03:57 UTC] krakjoe@php.net
[2016-10-20 04:31 UTC] stas@php.net
[2016-11-05 21:49 UTC] stas@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: stas
[2016-11-05 21:49 UTC] stas@php.net
[2016-11-11 13:04 UTC] nguyenluan dot vnn at gmail dot com
-Status: Closed
+Status: Assigned
[2016-11-11 13:04 UTC] nguyenluan dot vnn at gmail dot com
[2016-11-11 13:04 UTC] nguyenluan dot vnn at gmail dot com
-Status: Assigned
+Status: Open
[2016-11-11 13:04 UTC] nguyenluan dot vnn at gmail dot com
[2016-11-14 11:42 UTC] nguyenluan dot vnn at gmail dot com
-Status: Open
+Status: Closed
[2016-11-14 11:42 UTC] nguyenluan dot vnn at gmail dot com
[2017-02-13 01:06 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Nov 18 15:00:01 2025 UTC |
Description: ------------ In function simplestring_addn: void simplestring_addn(simplestring* target, const char* source, size_t add_len) { size_t newsize = target->size, incr = 0; ... ... if(target->str) { if(add_len) { memcpy(target->str + target->len, source, add_len); } target->len += add_len; target->str[target->len] = 0; /* null terminate */ // (1) crash here } } } target->len may receive negative value and become very big value due to sign extension. The access target->str[target->len] will then cause both version of PHP 5 and 7 to crash. Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat('a', 0x7fffffff); $str1 = xmlrpc_encode_request($str, array(1, 2, 3)); ?> Expected result: ---------------- No crash. Actual result: -------------- gdb-peda$ r ../test/string/test_xmlrpc_encode_request.php Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test_xmlrpc_encode_request.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x7ffd6c9fd054 RBX: 0x0 RCX: 0x61 ('a') RDX: 0x7ffdec9fd010 ("<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<methodCall>\n<methodName>", 'a' <repeats 131 times>...) RSI: 0x7ffe6c9fe010 ('a' <repeats 200 times>...) RDI: 0x7ffdec9fd055 ('a' <repeats 200 times>...) RBP: 0x7fffffffa4c0 --> 0x7fffffffa500 --> 0x7fffffffa530 --> 0x7fffffffa5a0 --> 0x7fffffffa610 --> 0x7fffffffa660 (--> ...) RSP: 0x7fffffffa490 --> 0x20 (' ') RIP: 0x934609 (<simplestring_addn+463>: mov BYTE PTR [rax],0x0) R8 : 0x7ffffff R9 : 0x7ffffff R10: 0x0 R11: 0x246 R12: 0x446410 (<_start>: xor ebp,ebp) R13: 0x7fffffffe190 --> 0x2 R14: 0x7fffed014030 --> 0x7fffed083180 --> 0xad11bb (<ZEND_DO_ICALL_SPEC_HANDLER>: push rbp) R15: 0x7fffed083180 --> 0xad11bb (<ZEND_DO_ICALL_SPEC_HANDLER>: push rbp) EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x934601 <simplestring_addn+455>: mov eax,DWORD PTR [rax+0x8] 0x934604 <simplestring_addn+458>: cdqe 0x934606 <simplestring_addn+460>: add rax,rdx => 0x934609 <simplestring_addn+463>: mov BYTE PTR [rax],0x0 0x93460c <simplestring_addn+466>: jmp 0x934612 <simplestring_addn+472> 0x93460e <simplestring_addn+468>: nop 0x93460f <simplestring_addn+469>: jmp 0x934612 <simplestring_addn+472> 0x934611 <simplestring_addn+471>: nop [------------------------------------stack-------------------------------------] 0000| 0x7fffffffa490 --> 0x20 (' ') 0008| 0x7fffffffa498 --> 0x7fffffff 0016| 0x7fffffffa4a0 --> 0x7ffe6c9fe010 ('a' <repeats 200 times>...) 0024| 0x7fffffffa4a8 --> 0x7fffffffa640 --> 0x7ffdec9fd010 ("<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<methodCall>\n<methodName>", 'a' <repeats 131 times>...) 0032| 0x7fffffffa4b0 --> 0x80000100 0040| 0x7fffffffa4b8 --> 0x100 0048| 0x7fffffffa4c0 --> 0x7fffffffa500 --> 0x7fffffffa530 --> 0x7fffffffa5a0 --> 0x7fffffffa610 --> 0x7fffffffa660 (--> ...) 0056| 0x7fffffffa4c8 --> 0x939729 (<simplestring_out_fptr+59>: mov eax,0x0) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000934609 in simplestring_addn (target=0x7fffffffa640, source=0x7ffe6c9fe010 'a' <repeats 200 times>..., add_len=0x7fffffff) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/simplestring.c:231 231 target->str[target->len] = 0; /* null terminate */ gdb-peda$ p target->len $32 = 0x80000044 // (2) target->len has negative value gdb-peda$ p $rax $33 = 0x7ffd6c9fd054 // (3) the real target->str[target->len] gdb-peda$ p target->str $34 = 0x7ffdec9fd010 "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<methodCall>\n<methodName>", 'a' <repeats 131 times>... gdb-peda$ p $rax - 0x7ffdec9fd010 $35 = 0xffffffff80000044 // (4) the target->str[target->len] crashes PHP gdb-peda$ bt #0 0x0000000000934609 in simplestring_addn (target=0x7fffffffa640, source=0x7ffe6c9fe010 'a' <repeats 200 times>..., add_len=0x7fffffff) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/simplestring.c:231 #1 0x0000000000939729 in simplestring_out_fptr (f=0x7fffffffa640, text=0x7ffe6c9fe010 'a' <repeats 200 times>..., size=0x7fffffff) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_element.c:513 #2 0x0000000000938cf3 in xml_elem_writefunc ( fptr=0x9396ee <simplestring_out_fptr>, text=0x7ffe6c9fe010 'a' <repeats 200 times>..., data=0x7fffffffa640, len=0x0) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_element.c:281 #3 0x0000000000939500 in xml_element_serialize (el=0x1683d60, fptr=0x9396ee <simplestring_out_fptr>, data=0x7fffffffa640, options=0x1683a90, depth=0x2) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_element.c:462 #4 0x00000000009395ca in xml_element_serialize (el=0x1683c90, fptr=0x9396ee <simplestring_out_fptr>, data=0x7fffffffa640, options=0x1683a90, depth=0x1) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_element.c:482 #5 0x0000000000939780 in xml_elem_serialize_to_string (el=0x1683c90, options=0x1683a90, buf_len=0x0) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_element.c:542 #6 0x000000000093a8a0 in XMLRPC_REQUEST_ToXML (request=0x1683a70, buf_len=0x0) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:713 #7 0x0000000000931ca1 in zif_xmlrpc_encode_request ( execute_data=0x7fffed014100, return_value=0x7fffed0140e0) at /home/user/Desktop/php-7.0.12/ext/xmlrpc/xmlrpc-epi-php.c:701 #8 0x0000000000ad124f in ZEND_DO_ICALL_SPEC_HANDLER () at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586 #9 0x0000000000ad0c7b in execute_ex (ex=0x7fffed014030) at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414 #10 0x0000000000ad0d8c in zend_execute (op_array=0x7fffed082000, return_value=0x0) at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458 #11 0x0000000000a71a45 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427 #12 0x00000000009d9f1e in php_execute_script (primary_file=0x7fffffffce10) at /home/user/Desktop/php-7.0.12/main/main.c:2494 #13 0x0000000000b3a041 in do_cli (argc=0x2, argv=0x149d560) at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974 #14 0x0000000000b3b20f in main (argc=0x2, argv=0x149d560) at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344 #15 0x00007ffff3f11830 in __libc_start_main (main=0xb3aa04 <main>, argc=0x2, argv=0x7fffffffe198, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe188) at ../csu/libc-start.c:291 #16 0x0000000000446439 in _start ()