PHP :: Bug #73559 :: output_add_rewrite

Bug #73559	output_add_rewrite_var null dereference
Submitted:	2016-11-18 03:18 UTC	Modified:	2023-10-14 16:40 UTC
From:	fernando at null-life dot com	Assigned:	bukka (profile)
Status:	Not a bug	Package:	Output Control
PHP Version:	7.0.13	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-18 03:18 UTC] fernando at null-life dot com

Description:
------------
if the supplied value parameter is too big, output_add_rewrite_var will cause an exception with a null dereference.

Debugging output comes from an older PHP 7.0.10 release but I've checked it also affects current 7.0.13

static void php_url_scanner_output_handler(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode)
{
	size_t len;

-->	if (ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) != 0) {
		*handled_output = url_adapt_ext(output, output_len, &len, (zend_bool) (mode & (PHP_OUTPUT_HANDLER_END | PHP_OUTPUT_HANDLER_CONT | PHP_OUTPUT_HANDLER_FLUSH | PHP_OUTPUT_HANDLER_FINAL) ? 1 : 0));
		if (sizeof(uint) < sizeof(size_t)) {
			if (len > UINT_MAX)
				len = UINT_MAX;
		}
		*handled_output_len = len;
	} else if (ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) == 0) {
		url_adapt_state_ex_t *ctx = &BG(url_adapt_state_ex);
		if (ctx->buf.s && ZSTR_LEN(ctx->buf.s)) {
			smart_str_append(&ctx->result, ctx->buf.s);
			smart_str_appendl(&ctx->result, output, output_len);

			*handled_output = estrndup(ZSTR_VAL(ctx->result.s), ZSTR_LEN(ctx->result.s));
			*handled_output_len = ZSTR_LEN(ctx->buf.s) + output_len;

			smart_str_free(&ctx->buf);
			smart_str_free(&ctx->result);
		} else {
			*handled_output = estrndup(output, *handled_output_len = output_len);
		}
	} else {
		*handled_output = NULL;
	}
}



Test script:
---------------
<?php

ini_set('memory_limit', -1);

$v1="test";
$v2=str_repeat("a", 192000000);
output_add_rewrite_var($v1,$v2);



Expected result:
----------------
No crash

Actual result:
--------------
(910.1a78): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

0:000:x86> r
eax=00000000 ebx=00000023 ecx=50a36dd0 edx=04000000 esi=0928f2a0 edi=50a36dd0
eip=50a36dd6 esp=0928f254 ebp=0928f32c iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010247
php7!php_url_scanner_output_handler+0x6:
50a36dd6 83780c00        cmp     dword ptr [eax+0Ch],0 ds:002b:0000000c=????????

HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xc
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:50a36dd6 cmp dword ptr [eax+0ch],0

Basic Block:
    50a36dd6 cmp dword ptr [eax+0ch],0
       Tainted Input operands: 'eax'
    50a36dda je php7!php_url_scanner_output_handler+0x3e (50a36e0e)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x4c62c173.0xc2bad5bd

 Hash Usage : Stack Trace:
Major+Minor : php7!php_url_scanner_output_handler+0x6
Major+Minor : php7!php_output_handler_compat_func+0x4e
Major+Minor : php7!php_output_end_all+0x314
Major+Minor : php7!php_request_shutdown+0x101
Major+Minor : php!do_cli+0xdd9
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_773e0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_773e0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x0000000050a36dd6
Source File: c:\php-sdk\php70\vc14\x86\php-7.0.10rc1\ext\standard\url_scanner_ex.re
Source Line: 469

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-18 14:39 UTC] krakjoe@php.net

-Type: Security +Type: Bug

[2016-11-18 14:39 UTC] krakjoe@php.net

This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security

[2016-11-20 16:59 UTC] ab@php.net

-Status: Open +Status: Feedback

[2016-11-20 16:59 UTC] ab@php.net

Thanks for the report. I was checking the supplied snippet, but am unable to reproduce the crash with the latest dev state, but as well with 7.0.5, 32 and 64 bit, with and without USE_ZEND_ALLOC. What do I miss?

Thanks.

[2016-11-20 22:41 UTC] fernando at null-life dot com

-Status: Feedback +Status: Open

[2016-11-20 22:41 UTC] fernando at null-life dot com

I'm not using USE_ZEND_ALLOC, Can you please try like this?  
I just noticed that if I remove any of these extensions the exception will not occur.

windbg -hd -xd gp -xd bpe -xd wob -o -G -c "r" C:\tools\php7013\php.exe -n -dextension=ext\php_odbc.dll -dextension=ext\php_imap.dll -dextension=ext\php_intl.dll out.php

[2016-11-21 15:25 UTC] ab@php.net

Nope, still no crash :( Please see https://gist.github.com/anonymous/70a260010fe1b49af2dac9433c93241e . It also shouldn't matter, which debugger, a crash should invoke watson to pickup in a debugger anyway.

Thanks.

[2016-12-26 19:07 UTC] fernando at null-life dot com

I can't reproduce this on my work machine (4Gb RAM / Win 8.1) but it worked on my home desktop (12 GB / Win 10), maybe something related to the RAM/allocation prevents the crash from happening? 

I can try again later on a different machine with 32 GB RAM / Win10

[2023-10-14 16:40 UTC] bukka@php.net

-Status: Open +Status: Not a bug -Assigned To: +Assigned To: bukka

[2023-10-14 16:40 UTC] bukka@php.net

I'm going to close this as this is not reproducible and no further feedback provided. If you still see an issue, please create a new GitHub issue with more feedback. This wouldn't be a security issue even if reproducible so please create normal public issue.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri May 09 08:01:35 2025 UTC