PHP :: Bug #73496 :: Invalid memory access in zend_inline_hash

Bug #73496

Invalid memory access in zend_inline_hash_func

Submitted:

2016-11-11 08:43 UTC

Modified:

2020-11-18 14:02 UTC

Votes:	2
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

ahihibughunter at gmail dot com

Assigned:

cmb (profile)

Status:

Duplicate

Package:

Filter related

PHP Version:

7.0.13

OS:

ALL

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ahihibughunter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-11 08:43 UTC] ahihibughunter at gmail dot com

Description:
------------
in function php_stream_filter_create, filtername has very large value and cause crash in zend_hash_str_find_ptr.

PHPAPI php_stream_filter *php_stream_filter_create(const char *filtername, zval *filterparams, int persistent)
{
	......

	n = (int)strlen(filtername);     <-       filtername has very large value

	if (NULL != (factory = zend_hash_str_find_ptr(filter_hash, filtername, n))) {   <- crash here  
		filter = factory->create_filter(filtername, filterparams, persistent);
    ....
}

Test script:
---------------
<?php
ini_set('memory_limit', -1);
$str = str_repeat('a', 0x8fffff00);
stream_filter_register($str,$str);
$fd = fopen('php://memory','w');
$filter = stream_filter_append($fd, $str);
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
....
Program received signal SIGSEGV, Segmentation fault.
0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330
330			hash = ((hash << 5) + hash) + *str++;
(gdb) bt
#0  0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330
#1  0x0000000000a1fb89 in zend_hash_str_find (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.c:1998
#2  0x0000000000995b73 in zend_hash_str_find_ptr (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.h:697
#3  0x0000000000996623 in php_stream_filter_create (filtername=0x7fff5c800018 'a' <repeats 200 times>..., filterparams=0x0, persistent=0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/streams/filter.c:260
#4  0x0000000000929e04 in apply_filter_to_stream (append=1, execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1157
#5  0x0000000000929ff4 in zif_stream_filter_append (execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1212
#6  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#7  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#8  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#9  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#10 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcab0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#11 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#12 0x0000000000ad18aa in main (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-18 14:40 UTC] krakjoe@php.net

-Type: Security +Type: Bug

[2016-11-18 14:40 UTC] krakjoe@php.net

This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security

[2016-11-19 01:01 UTC] ahihibughunter at gmail dot com

Hi krakjoe, be fair pls, u change the rules before i report this, or at least give me bounty for this. Thanks.

[2016-11-19 01:16 UTC] ahihibughunter at gmail dot com

I mean after. Thanks

[2016-11-19 15:30 UTC] rasmus@php.net

We don't have any bug bounties.

[2020-11-18 14:02 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2020-11-18 14:02 UTC] cmb@php.net

This is actually a duplicate of bug #72743.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC