php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73522 interger overflow in mbfl_memory_device_strncat
Submitted: 2016-11-15 08:09 UTC Modified: 2017-07-23 10:09 UTC
From: ahihibughunter at gmail dot com Assigned: nikic (profile)
Status: Closed Package: mbstring related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-15 08:09 UTC] ahihibughunter at gmail dot com 
Description:
------------
in function mbfl_memory_device_strncat
mbfl_memory_device_strncat(mbfl_memory_device *device, const char *psrc, int len)
{
	unsigned char *w;
......
        w = &device->buffer[device->pos];
	device->pos += len;
	while (len > 0) {
		*w++ = *psrc++; <- crash here 
		len--;
	}

	return len;
}
device->pos may have negative value cause php7 crash.

Test script:
---------------
<?php
ini_set('memory_limit', -1);
$to = 'zx@zxisreal.com';
$headers = str_repeat('a', 0x80001000);
mb_send_mail($to, mb_language(), "test", $headers);
?>

Expected result:
----------------
No crash

Actual result:
--------------
$gdb ../php7new/php-src-PHP-7.0.13/sapi/cli/php
(gdb) r crash.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000756a66 in mbfl_memory_device_strncat (device=0x7fffffffa350, psrc=0x100f642 "IME-Version: 1.0", len=17)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:268
268			*w++ = *psrc++;
(gdb) print w
$1 = (unsigned char *) 0xffffffff80001001 <error: Cannot access memory at address 0xffffffff80001001>
(gdb) bt
#0  0x0000000000756a66 in mbfl_memory_device_strncat (device=0x7fffffffa350, psrc=0x100f642 "IME-Version: 1.0", len=17)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:268
#1  0x0000000000761f5f in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4448
#2  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#3  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#4  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#5  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#6  0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcab0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#7  0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#8  0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:40 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:40 UTC] krakjoe@php.net 
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2017-07-23 10:09 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2017-07-23 10:09 UTC] nikic@php.net 
This is fixed in master.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 12 10:01:33 2025 UTC