PHP :: Bug #73351 :: crash in buffer

Bug #73351	crash in buffer_add function
Submitted:	2016-10-19 16:55 UTC	Modified:	2017-02-13 01:06 UTC
From:	nguyenluan dot vnn at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	XMLRPC-EPI related
PHP Version:	7.0.13	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nguyenluan dot vnn at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-10-19 16:55 UTC] nguyenluan dot vnn at gmail dot com

Description:
------------
In buffer_add function:

void buffer_add(struct buffer_st *b, char c)
{
  *(b->ptr++) = c;                          // (1) crash here (in next call)
  b->offset++;
  if (b->offset == b->length) {
    b->length += 512;
    b->data = realloc(b->data, b->length);  // (2) missing NULL check here
    b->ptr = b->data + b->offset;           // (3) update pointer could cause b->ptr point to an invalid address because b->data = NULL
  }
}

There was a missing NULL check in return of realloc() function which leads to invalid memory access in next call to buffer_add() and cause both PHP 5 and 7 to crash.

Please refer to the test script and debug log.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    
    $str = str_repeat('a', 0x7fffffff);

    xmlrpc_set_type($str, 'base64');
    $str1 = xmlrpc_encode($str);
?>

Expected result:
----------------
No crash

Actual result:
--------------
gdb-peda$ r ../test/string/test_xmlrpc_encode.php 
Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test_xmlrpc_encode.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffffe00 
RBX: 0x7fffffff 
RCX: 0x7ffffe01 
RDX: 0x46 ('F')
RSI: 0x46 ('F')
RDI: 0x7fffffffa150 --> 0x0 
RBP: 0x7fffffffa020 --> 0x7fffffffa090 --> 0x7fffffffa390 --> 0x7fffffffa690 --> 0x7fffffffa6b0 --> 0x7fffffffa6e0 (--> ...)
RSP: 0x7fffffffa010 --> 0x7f46ffffa030 
RIP: 0x934770 (<buffer_add+41>:	mov    BYTE PTR [rax],dl)
R8 : 0xffffffffffffffff 
R9 : 0x0 
R10: 0x22 ('"')
R11: 0x201 
R12: 0x446df0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x7fffec614030 --> 0x7fffec6821e0 --> 0xad57c4 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
R15: 0x7fffec6821e0 --> 0xad57c4 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x934764 <buffer_add+29>:	mov    rdx,QWORD PTR [rbp-0x8]
   0x934768 <buffer_add+33>:	mov    QWORD PTR [rdx+0x10],rcx
   0x93476c <buffer_add+37>:	movzx  edx,BYTE PTR [rbp-0xc]
=> 0x934770 <buffer_add+41>:	mov    BYTE PTR [rax],dl
   0x934772 <buffer_add+43>:	mov    rax,QWORD PTR [rbp-0x8]
   0x934776 <buffer_add+47>:	mov    eax,DWORD PTR [rax+0x18]
   0x934779 <buffer_add+50>:	lea    edx,[rax+0x1]
   0x93477c <buffer_add+53>:	mov    rax,QWORD PTR [rbp-0x8]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa010 --> 0x7f46ffffa030 
0008| 0x7fffffffa018 --> 0x7fffffffa150 --> 0x0 
0016| 0x7fffffffa020 --> 0x7fffffffa090 --> 0x7fffffffa390 --> 0x7fffffffa690 --> 0x7fffffffa6b0 --> 0x7fffffffa6e0 (--> ...)
0024| 0x7fffffffa028 --> 0x934a2b (<base64_encode_xmlrpc+499>:	mov    rax,QWORD PTR [rbp-0x48])
0032| 0x7fffffffa030 --> 0x7 
0040| 0x7fffffffa038 --> 0x7fffffff00446df0 
0048| 0x7fffffffa040 --> 0x7fff4aaa9942 ('a' <repeats 200 times>...)
0056| 0x7fffffffa048 --> 0x7fffffffa150 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000934770 in buffer_add (b=0x7fffffffa150, c=0x46)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/base64.c:34
34	  *(b->ptr++) = c;

gdb-peda$ p b->ptr
$7 = 0x7ffffe01 <error: Cannot access memory at address 0x7ffffe01>

gdb-peda$ p b->data
$8 = 0x0    // return address of realloc() = NULL in previous call

gdb-peda$ p b->offset
$9 = 0x7ffffe00

gdb-peda$ bt
#0  0x0000000000934770 in buffer_add (b=0x7fffffffa150, c=0x46)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/base64.c:34
#1  0x0000000000934a2b in base64_encode_xmlrpc (b=0x7fffffffa150, 
    source=0x7fff4aaa9942 'a' <repeats 200 times>..., length=0x7fffffff)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/base64.c:105
#2  0x0000000000937fa7 in XMLRPC_to_xml_element_worker (current_vector=0x0, 
    node=0x168df10, request_type=xmlrpc_request_none, depth=0x1)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:244
#3  0x0000000000937cc9 in XMLRPC_to_xml_element_worker (current_vector=0x0, 
    node=0x168df10, request_type=xmlrpc_request_none, depth=0x0)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:206
#4  0x0000000000938474 in XMLRPC_VALUE_to_xml_element (node=0x168df10)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:368
#5  0x000000000093b192 in XMLRPC_VALUE_ToXML (val=0x168df10, buf_len=0x0)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:664
#6  0x0000000000932803 in zif_xmlrpc_encode (execute_data=0x7fffec614130, 
    return_value=0x7fffec6140f0)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/xmlrpc-epi-php.c:733
#7  0x0000000000ad5858 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586
#8  0x0000000000ad5284 in execute_ex (ex=0x7fffec614030)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414
#9  0x0000000000ad5395 in zend_execute (op_array=0x7fffec681000, 
    return_value=0x0)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458
#10 0x0000000000a7604e in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427
#11 0x00000000009de527 in php_execute_script (primary_file=0x7fffffffce20)
    at /home/user/Desktop/php-7.0.12/main/main.c:2494
#12 0x0000000000b3e64a in do_cli (argc=0x2, argv=0x14a3560)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974
#13 0x0000000000b3f818 in main (argc=0x2, argv=0x14a3560)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344
#14 0x00007ffff3abf830 in __libc_start_main (main=0xb3f00d <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#15 0x0000000000446e19 in _start ()

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-10-19 19:03 UTC] stas@php.net

-Status: Open +Status: Feedback

[2016-10-19 19:03 UTC] stas@php.net

This looks like libxmlrpc issue, please report upstream.

[2016-10-20 00:48 UTC] nguyenluan dot vnn at gmail dot com

-Status: Feedback +Status: Open

[2016-10-20 00:48 UTC] nguyenluan dot vnn at gmail dot com

I reported here:
https://sourceforge.net/p/xmlrpc-epi/bugs/46/

[2016-10-20 03:44 UTC] nguyenluan dot vnn at gmail dot com

Related To: Bug #73349

[2016-11-04 02:25 UTC] stas@php.net

-PHP Version: 7.0.12 +PHP Version: 5.6.27

[2016-11-04 05:55 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2016-11-04 05:55 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com

-Status: Closed +Status: Assigned

[2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com

Still crashes in 7.0.13. Please check it again.

[2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com

-Status: Assigned +Status: Open -PHP Version: 5.6.27 +PHP Version: 7.0.13

[2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com

Open this issue again.

[2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com

-Status: Open +Status: Closed

[2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com

Fixed in PHP 7.1.0 RC6. Please close.

Thanks.

[2017-02-13 01:06 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 01 07:00:01 2025 UTC