|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-16 22:02 UTC] stas@php.net
[2016-11-16 22:03 UTC] stas@php.net
-Status: Open
+Status: Duplicate
[2017-07-23 10:13 UTC] nikic@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 13:01:31 2024 UTC |
Description: ------------ in function mbfl_memory_device_output mbfl_memory_device_output(int c, void *data) { ... device->buffer = tmp; } device->buffer[device->pos++] = (unsigned char)c; <- crash here return c; } when device->pos may have very large size cause php 5 crash. Test script: --------------- <?php ini_set('memory_limit', -1); $ahihi = str_repeat('a',0x7fffffff); mb_strtolower($ahihi); ?> Expected result: ---------------- No crash Actual result: -------------- $ gdb ../../../php5new/php-src-PHP-5.6.28/sapi/cli/php GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1 (gdb) r mb_strtolower_basic.phpt.php Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php mb_strtolower_basic.phpt.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x000000000074e185 in mbfl_memory_device_output (c=0, data=0x7ffff7fb7190) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:157 157 device->buffer[device->pos++] = (unsigned char)c; (gdb) bt #0 0x000000000074e185 in mbfl_memory_device_output (c=0, data=0x7ffff7fb7190) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:157 #1 0x0000000000741185 in mbfl_filt_conv_wchar_ucs4be (c=97, filter=0x7ffff7fb5be8) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/libmbfl/filters/mbfilter_ucs4.c:216 #2 0x0000000000744e53 in mbfl_filt_conv_utf8_wchar (c=97, filter=0x7ffff7fb7588) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/libmbfl/filters/mbfilter_utf8.c:118 #3 0x0000000000746891 in mbfl_buffer_converter_feed2 (convd=0x7ffff7fb7180, string=0x7fffffffa290, loc=0x0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/libmbfl/mbfl/mbfilter.c:284 #4 0x00000000007467da in mbfl_buffer_converter_feed (convd=0x7ffff7fb7180, string=0x7fffffffa290) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/libmbfl/mbfl/mbfilter.c:261 #5 0x0000000000746a42 in mbfl_buffer_converter_feed_result (convd=0x7ffff7fb7180, string=0x7fffffffa290, result=0x7fffffffa2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/libmbfl/mbfl/mbfilter.c:348 #6 0x0000000000756032 in php_mb_convert_encoding (input=0x7fff6d538070 'a' <repeats 200 times>..., length=2147483647, _to_encoding=0x1089256 "UCS-4BE", _from_encodings=0x1078c45 "UTF-8", output_len=0x7fffffffa330) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/mbstring.c:3051 #7 0x000000000075db0a in php_unicode_convert_case (case_mode=1, srcstr=0x7fff6d538070 'a' <repeats 200 times>..., srclen=2147483647, ret_len=0x7fffffffa3b0, src_encoding=0x1078c45 "UTF-8") at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/php_unicode.c:284 #8 0x00000000007567de in zif_mb_strtolower (ht=1, return_value=0x7ffff7fb4548, return_value_ptr=0x7ffff7f7a208, this_ptr=0x0, return_value_used=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/mbstring/mbstring.c:3202 #9 0x0000000000b0bbaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f7a280) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:558 ..... (gdb) print device->pos $1 = -2147483647 (gdb)