PHP :: Bug #73634 :: grapheme_strpos illegal memory access

Bug #73634	grapheme_strpos illegal memory access
Submitted:	2016-12-01 15:06 UTC	Modified:	2017-01-16 09:19 UTC
From:	fernando at null-life dot com	Assigned:
Status:	Closed	Package:	intl (PECL)
PHP Version:	7.0.13	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-12-01 15:06 UTC] fernando at null-life dot com

Description:
------------
Negative offset parameter and a big string haystack causes illegal memory access in zend_memnstr_ex function, through grapheme_strpos.


Source code:
https://github.com/php/php-src/blob/PHP-7.0.14/Zend/zend_operators.c#L2923


ZEND_API const char* ZEND_FASTCALL zend_memnstr_ex(const char *haystack, const char *needle, size_t needle_len, const char *end) /* {{{ */
{
        unsigned int td[256];
        register size_t i;
        register const char *p;

        if (needle_len == 0 || (end - haystack) == 0) {
                return NULL;
        }

        zend_memnstr_ex_pre(td, needle, needle_len, 0);

        p = haystack;
        end -= needle_len;

        while (p <= end) {
                for (i = 0; i < needle_len; i++) {
                        if (needle[i] != p[i]) {                // Illegal memory access
                                break;
                        }
                }
                if (i == needle_len) {
                        return p;
                }
                if (UNEXPECTED(p == end)) {
                        return NULL;
                }
                p += td[(unsigned char)(p[needle_len])];
        }

        return NULL;
}


GDB output:

LD_LIBRARY_PATH=/home/operac/icu58/lib USE_ZEND_ALLOC=1 ASAN_OPTIONS=detect_leaks=0 gdb -q --args /home/operac/build5/bin/php -dextension=/home/operac/build5/lib/php/20151012-debug/intl.so -n poc.php
Reading symbols from /home/operac/build5/bin/php...done.
(gdb) r
Starting program: /home/operac/build5/bin/php -dextension=/home/operac/build5/lib/php/20151012-debug/intl.so -n poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000e3e188 in zend_memnstr_ex (haystack=0x7ffeec200015 <error: Cannot access memory at address 0x7ffeec200015>, needle=0x7fffef257b18 "ABCD", needle_len=4,
    end=0x7fffec200013 "1111") at /home/operac/build5/php-src/Zend/zend_operators.c:2923
2923                            if (needle[i] != p[i]) {
(gdb) bt
#0  0x0000000000e3e188 in zend_memnstr_ex (haystack=0x7ffeec200015 <error: Cannot access memory at address 0x7ffeec200015>, needle=0x7fffef257b18 "ABCD",
    needle_len=4, end=0x7fffec200013 "1111") at /home/operac/build5/php-src/Zend/zend_operators.c:2923
#1  0x00007fffeef1ff55 in zend_memnstr (haystack=0x7ffeec200015 <error: Cannot access memory at address 0x7ffeec200015>, needle=0x7fffef257b18 "ABCD", needle_len=4,
    end=0x7fffec200017 "") at /home/operac/build5/php-src/Zend/zend_operators.h:182
#2  0x00007fffeef208f7 in zif_grapheme_strpos (execute_data=0x7fffef213100, return_value=0x7fffef2130f0)
    at /home/operac/build5/php-src/ext/intl/grapheme/grapheme_string.c:142
#3  0x0000000000f277dd in ZEND_DO_ICALL_SPEC_HANDLER () at /home/operac/build5/php-src/Zend/zend_vm_execute.h:586
#4  0x0000000000f26873 in execute_ex (ex=0x7fffef213030) at /home/operac/build5/php-src/Zend/zend_vm_execute.h:414
#5  0x0000000000f26aee in zend_execute (op_array=0x7fffef280000, return_value=0x0) at /home/operac/build5/php-src/Zend/zend_vm_execute.h:458
#6  0x0000000000e49c67 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/operac/build5/php-src/Zend/zend.c:1427
#7  0x0000000000d0b9d9 in php_execute_script (primary_file=0x7fffffffd010) at /home/operac/build5/php-src/main/main.c:2494
#8  0x0000000001058a1d in do_cli (argc=4, argv=0x60400000de90) at /home/operac/build5/php-src/sapi/cli/php_cli.c:974
#9  0x000000000105a82d in main (argc=4, argv=0x60400000de90) at /home/operac/build5/php-src/sapi/cli/php_cli.c:1344



Test script:
---------------
<?php
ini_set('memory_limit', -1);

$v1=str_repeat("1", 0x8fffffff);
grapheme_strpos($v1, "ABCD", -2);

Expected result:
----------------
No crash

Actual result:
--------------
ASan output:

ASAN:SIGSEGV
=================================================================
==16336==ERROR: AddressSanitizer: SEGV on unknown address 0x7f600de00015 (pc 0x000000e3e188 bp 0x7ffcfa5b0050 sp 0x7ffcfa5afb90 T0)
    #0 0xe3e187 in zend_memnstr_ex /home/operac/build5/php-src/Zend/zend_operators.c:2923
    #1 0x7f6110b1ff54 in zend_memnstr /home/operac/build5/php-src/Zend/zend_operators.h:182
    #2 0x7f6110b208f6 in zif_grapheme_strpos /home/operac/build5/php-src/ext/intl/grapheme/grapheme_string.c:142
    #3 0xf277dc in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build5/php-src/Zend/zend_vm_execute.h:586
    #4 0xf26872 in execute_ex /home/operac/build5/php-src/Zend/zend_vm_execute.h:414
    #5 0xf26aed in zend_execute /home/operac/build5/php-src/Zend/zend_vm_execute.h:458
    #6 0xe49c66 in zend_execute_scripts /home/operac/build5/php-src/Zend/zend.c:1427
    #7 0xd0b9d8 in php_execute_script /home/operac/build5/php-src/main/main.c:2494
    #8 0x1058a1c in do_cli /home/operac/build5/php-src/sapi/cli/php_cli.c:974
    #9 0x105a82c in main /home/operac/build5/php-src/sapi/cli/php_cli.c:1344
    #10 0x7f61166dd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x430a88 in _start (/home/operac/build5/bin/php+0x430a88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/operac/build5/php-src/Zend/zend_operators.c:2923 zend_memnstr_ex
==16336==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-01-16 09:19 UTC] stas@php.net

-Type: Security +Type: Bug

[2017-01-16 09:19 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8c44d07fd485a8e8d62bc6e4fe14bec5493ebc58
Log: Fix bug #73634 - grapheme_strpos illegal memory access

[2017-01-16 09:19 UTC] stas@php.net

-Status: Open +Status: Closed

[2017-06-20 20:29 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=18b6de7a91859df736781a3ea0bd248b94a9a6df
Log: Fix bug #73634 - grapheme_strpos illegal memory access

[2017-06-21 04:33 UTC] sixd@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=18b6de7a91859df736781a3ea0bd248b94a9a6df
Log: Fix bug #73634 - grapheme_strpos illegal memory access

[2017-06-21 14:53 UTC] ab@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5189e43b6dfe1774f8876214d2c583a64a446226
Log: Fix bug #73634 - grapheme_strpos illegal memory access

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC