php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73376 crash in locale_get_keywords() when keyword value in locale string too long
Submitted: 2016-10-23 09:09 UTC Modified: 2016-11-14 11:45 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: intl (PECL)
PHP Version: 7.0.13 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-23 09:09 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
Funtion locale_get_keywords():

PHP_FUNCTION( locale_get_keywords )
{
    UEnumeration*   e        = NULL;
    UErrorCode      status   = U_ZERO_ERROR;

    ...
    ...

        	while( ( kw_key = uenum_next( e, &kw_key_len, &status ) ) != NULL ){
    		kw_value_len = 100;
			kw_value_str = zend_string_alloc(kw_value_len, 0);

			/* Get the keyword value for each keyword */
			kw_value_len=uloc_getKeywordValue( loc_name, kw_key, ZSTR_VAL(kw_value_str), kw_value_len, &status );  // (1) crash in this call
			if (status == U_BUFFER_OVERFLOW_ERROR) {

    ...
    ...
}

When passing large keyword value in locale string, this function causes PHP 7 to crash.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    
    $str = str_repeat('test', 0x3fffffff);
    $keywords_arr = locale_get_keywords("de_DE@currency=EUR;collation=$str");
?>

Expected result:
----------------
No crash.

Actual result:
--------------
gdb-peda$ r ../test/string/test.php 
Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7fffebc730b8 ("testtesttesttesttesttesttesttestt")
RBX: 0xfffffffc 
RCX: 0x73657474 ('ttes')
RDX: 0x0 
RSI: 0x9 ('\t')
RDI: 0x7fffebdfffe0 --> 0x0 
RBP: 0x7fffffffa5e0 ("collation")
RSP: 0x7fffffffa588 --> 0x7ffff4350c65 (<uloc_getKeywordValue_55+741>:	)
RIP: 0x7ffff3939435 (<__strncpy_sse2_unaligned+3685>:	)
R8 : 0xffffffffffe73094 
R9 : 0x0 
R10: 0x1c 
R11: 0x7ffff3a1a650 --> 0xfff1e980fff1e970 
R12: 0x7ffdeb400035 ("testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest"...)
R13: 0x9 ('\t')
R14: 0x7fffebc730b8 ("testtesttesttesttesttesttesttestt")
R15: 0x7ffdeb40002b ("collation=testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttestte"...)
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff393942a <__strncpy_sse2_unaligned+3674>:	
    jb     0x7ffff3939449 <__strncpy_sse2_unaligned+3705>
   0x7ffff393942c <__strncpy_sse2_unaligned+3676>:	
    movdqa XMMWORD PTR [rdi],xmm0
   0x7ffff3939430 <__strncpy_sse2_unaligned+3680>:	
    movdqa XMMWORD PTR [rdi+0x10],xmm0
=> 0x7ffff3939435 <__strncpy_sse2_unaligned+3685>:	
    movdqa XMMWORD PTR [rdi+0x20],xmm0
   0x7ffff393943a <__strncpy_sse2_unaligned+3690>:	
    movdqa XMMWORD PTR [rdi+0x30],xmm0
   0x7ffff393943f <__strncpy_sse2_unaligned+3695>:	add    rdi,0x40
   0x7ffff3939443 <__strncpy_sse2_unaligned+3699>:	sub    r8,0x40
   0x7ffff3939447 <__strncpy_sse2_unaligned+3703>:	
    jae    0x7ffff393942c <__strncpy_sse2_unaligned+3676>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa588 --> 0x7ffff4350c65 (<uloc_getKeywordValue_55+741>:	)
0008| 0x7fffffffa590 --> 0x0 
0016| 0x7fffffffa598 --> 0x7ffdeb400034 ("=testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttes"...)
0024| 0x7fffffffa5a0 --> 0x7fffffffa704 --> 0x900000000 ('')
0032| 0x7fffffffa5a8 --> 0x7fffffffa5c0 ("collation")
0040| 0x7fffffffa5b0 --> 0x6400000000 ('')
0048| 0x7fffffffa5b8 --> 0x7fffebc730b8 ("testtesttesttesttesttesttesttestt")
0056| 0x7fffffffa5c0 ("collation")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__strncpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:1671
1671	../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such file or directory.

gdb-peda$ bt
#0  __strncpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:1671
#1  0x00007ffff4350c65 in uloc_getKeywordValue_55 ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#2  0x00000000006eea58 in zif_locale_get_keywords (
    execute_data=0x7fffebc141b0, return_value=0x7fffebc14120)
    at /home/user/Desktop/php-7.0.12/ext/intl/locale/locale_methods.c:732
#3  0x0000000000ad8506 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586
#4  0x0000000000ad7f32 in execute_ex (ex=0x7fffebc14030)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414
#5  0x0000000000ad8043 in zend_execute (op_array=0x7fffebc81000, 
    return_value=0x0)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458
#6  0x0000000000a78cfc in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427
#7  0x00000000009e11d5 in php_execute_script (primary_file=0x7fffffffce20)
    at /home/user/Desktop/php-7.0.12/main/main.c:2494
#8  0x0000000000b412f8 in do_cli (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974
#9  0x0000000000b424c6 in main (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344
#10 0x00007ffff38b3830 in __libc_start_main (main=0xb41cbb <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#11 0x00000000004475a9 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 03:09 UTC] stas@php.net
-PHP Version: 7.0.12 +PHP Version: 5.6.27
 [2016-11-04 06:01 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 06:01 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-11-11 12:36 UTC] nguyenluan dot vnn at gmail dot com
-Status: Closed +Status: Assigned
 [2016-11-11 12:36 UTC] nguyenluan dot vnn at gmail dot com
I checked with PHP version 7.0.13, it still crashes. Please check again.
 [2016-11-11 12:37 UTC] nguyenluan dot vnn at gmail dot com
-Status: Assigned +Status: Open -PHP Version: 5.6.27 +PHP Version: 7.0.13
 [2016-11-11 12:37 UTC] nguyenluan dot vnn at gmail dot com
Open this issue again.
 [2016-11-14 11:45 UTC] nguyenluan dot vnn at gmail dot com
-Status: Open +Status: Closed
 [2016-11-14 11:45 UTC] nguyenluan dot vnn at gmail dot com
Fixed in PHP 7.1.0 RC6. Please close.

Thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Thu Jan 02 11:01:29 2025 UTC