php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73528 Crash in zif_mb_send_mail
Submitted: 2016-11-15 14:24 UTC Modified: 2017-07-22 15:36 UTC
From: ahihibughunter at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-15 14:24 UTC] ahihibughunter at gmail dot com 
Description:
------------
In function mb_send_mail
PHP_FUNCTION(mb_send_mail)
{
.....

if (to != NULL) {
		if (to_len > 0) {
			to_r = estrndup(to, to_len);
			for (; to_len; to_len--) {
				if (!isspace((unsigned char) to_r[to_len - 1])) {
					break;
				}
				to_r[to_len - 1] = '\0';
			}
			for (i = 0; to_r[i]; i++) {    <- crash here
			if (iscntrl((unsigned char) to_r[i])) {
....
}
when to_len can have very big value which leads to invalid memory access on to_r[i] ( i become negative number) and cause php7 crash.

Test script:
---------------
<?php
ini_set('memory_limit', -1);

$to  = str_repeat('a',0x80001000);
$headers = 'foo';
mb_send_mail($to, mb_language(), "test", $headers);
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../php7new/php-src-PHP-7.0.13/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
(gdb) r test.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000761bc2 in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4364
4364				for (i = 0; to_r[i]; i++) {
(gdb) bt
#0  0x0000000000761bc2 in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4364
#1  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#2  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#3  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#4  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#5  0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#6  0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#7  0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb) print i
$1 = -2147483648
(gdb) print to_len
$2 = 2147487744
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:36 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:36 UTC] krakjoe@php.net 
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2017-07-23 09:56 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bd63c0f5b3efd1689a231fccebe74e798e1bbd88
Log: Fix bug #73528
 [2017-07-23 09:56 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 15:01:30 2024 UTC