php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75152 signed integer overflow in parse_iv (ext/standard/var_unserializer.c:339)
Submitted: 2017-09-02 20:06 UTC Modified: 2020-12-18 12:32 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: geeknik at protonmail dot ch Assigned: cmb (profile)
Status: Closed Package: Reproducible crash
PHP Version: 7.1.9 OS: Ubuntu 16 x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: geeknik at protonmail dot ch
New email:
PHP Version: OS:

 

 [2017-09-02 20:06 UTC] geeknik at protonmail dot ch 
Description:
------------
Triggered during AFL fuzzing. Only tested against 7.1.8 and 7.1.9. If we set USE_ZEND_ALLOC=0 the signed integer overflow remains, but the memory allocation error goes away.

Test script:
---------------
echo -ne 'o:200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000:"' | UBSAN_OPTIONS=print_stacktrace=1 ~/php-7.1.9/sapi/cli/php -r 'unserialize(file_get_contents("php://stdin"));'

Actual result:
--------------
/root/php-7.1.9/ext/standard/var_unserializer.c:339:20: runtime error: signed integer overflow: 2000000000000000000 * 10 cannot be represented in type 'long'
    #0 0x11cef10 in parse_iv2 /root/php-7.1.9/ext/standard/var_unserializer.c:339:20
    #1 0x11cef10 in object_common1 /root/php-7.1.9/ext/standard/var_unserializer.c:507
    #2 0x11c935c in php_var_unserialize_internal /root/php-7.1.9/ext/standard/var_unserializer.c:1372:13
    #3 0x118f3fd in zif_unserialize /root/php-7.1.9/ext/standard/var.c:1114:7
    #4 0x16b6789 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/php-7.1.9/Zend/zend_vm_execute.h:628:2
    #5 0x156d6f3 in execute_ex /root/php-7.1.9/Zend/zend_vm_execute.h:432:7
    #6 0x156e2ef in zend_execute /root/php-7.1.9/Zend/zend_vm_execute.h:474:2
    #7 0x13d5845 in zend_eval_stringl /root/php-7.1.9/Zend/zend_execute_API.c:1120:4
    #8 0x13d617b in zend_eval_stringl_ex /root/php-7.1.9/Zend/zend_execute_API.c:1161:11
    #9 0x13d617b in zend_eval_string_ex /root/php-7.1.9/Zend/zend_execute_API.c:1172
    #10 0x17bb258 in do_cli /root/php-7.1.9/sapi/cli/php_cli.c:1024:8
    #11 0x17b8f40 in main /root/php-7.1.9/sapi/cli/php_cli.c:1381:18
    #12 0x7fd3d03a83f0 in __libc_start_main /build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
    #13 0x43ab99 in _start (/root/php-7.1.9/sapi/cli/php+0x43ab99)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/php-7.1.9/ext/standard/var_unserializer.c:339:20 in

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 2415919104 bytes) in Command line code on line 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-09-11 04:45 UTC] laruence@php.net
-Type: Security +Type: Bug
 [2017-09-11 04:45 UTC] laruence@php.net 
according to https://wiki.php.net/security?s[]=security&s[]=bug  
"requires invocation of functions with specific arguments, which may be valid but are obviously malicious"

this should not be a security bug.
 [2017-09-21 23:04 UTC] geeknik at protonmail dot ch 
For some reason, this is still hidden from the public and shows Private report: Yes.
 [2020-12-18 12:32 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-12-18 12:32 UTC] cmb@php.net 
This is fixed as of PHP 7.1.10: <https://3v4l.org/oP9cC>.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Mar 31 07:01:29 2025 UTC