php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77380 Global out of bounds read in xmlrpc base64 code
Submitted: 2018-12-30 19:44 UTC Modified: 2019-02-22 22:09 UTC
From: hanno at hboeck dot de Assigned: stas (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9024
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2018-12-30 19:44 UTC] hanno at hboeck dot de 
Description:
------------
The sample code below will cause a global out of bounds buffer read.

This seems to happen due to a bad base64 input.

It seems that in ext/xmlrpc/libxmlrpc/base64.c there's a second base64 implementation in the PHP code. I was quite surprised by this and it's probably not desirable and should use the "normal" base64 code in PHP that's probably better tested.

ASAN error:
==27771==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000030ee593 at pc 0x0000015d3c46 bp 0x7ffcf5d8fb70 sp 0x7ffcf5d8fb68
READ of size 1 at 0x0000030ee593 thread T0
    #0 0x15d3c45 in base64_decode_xmlrpc /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/base64.c:172:10
    #1 0x15d9bda in xml_element_to_XMLRPC_REQUEST_worker /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:139:10
    #2 0x15d9e8c in xml_element_to_XMLRPC_REQUEST /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:181:45
    #3 0x15e4502 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.13/ext/xmlrpc/libxmlrpc/xmlrpc.c:823:13
    #4 0x15c5b5b in decode_request_worker /f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #5 0x15c5b5b in zif_xmlrpc_decode /f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c:818
    #6 0x1bc89b8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.13/Zend/zend_vm_execute.h:617:2
    #7 0x1981d2c in execute_ex /f/php/php-7.2.13/Zend/zend_vm_execute.h:59739:7
    #8 0x1982615 in zend_execute /f/php/php-7.2.13/Zend/zend_vm_execute.h:63776:2
    #9 0x17bef41 in zend_eval_stringl /f/php/php-7.2.13/Zend/zend_execute_API.c:1083:4
    #10 0x17bf87f in zend_eval_stringl_ex /f/php/php-7.2.13/Zend/zend_execute_API.c:1124:11
    #11 0x17bf87f in zend_eval_string_ex /f/php/php-7.2.13/Zend/zend_execute_API.c:1135
    #12 0x1d024b6 in do_cli /f/php/php-7.2.13/sapi/cli/php_cli.c:1044:8
    #13 0x1cffbd2 in main /f/php/php-7.2.13/sapi/cli/php_cli.c:1406:18
    #14 0x7fd1a18f94ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #15 0x423dc9 in _start (/r/php/php+0x423dc9)

0x0000030ee593 is located 45 bytes to the left of global variable 'get_type_str_mapping.first' defined in '/f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c' (0x30ee5c0) of size 1
  'get_type_str_mapping.first' is ascii string ''
0x0000030ee593 is located 11 bytes to the right of global variable 'str_mapping' defined in '/f/php/php-7.2.13/ext/xmlrpc/xmlrpc-epi-php.c:1209:21' (0x30ee520) of size 104


Test script:
---------------
$a=xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="));

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-31 15:15 UTC] cmb@php.net 
> It seems that in ext/xmlrpc/libxmlrpc/base64.c there's a second
> base64 implementation in the PHP code.

ext/xmlrpc/libxmlrpc contains a modified libxmlrpc-epi[1], but we
still allow to use the (unmaintained) upstream library instead.

[1] <http://xmlrpc-epi.sourceforge.net/>
 [2019-01-02 00:58 UTC] stas@php.net
-Status: Open +Status: Verified -PHP Version: 7.2.13 +PHP Version: 5.6.39
 [2019-01-02 00:58 UTC] stas@php.net 
The problem may be in this code:

 for (i = 0; i < 4; i++) {
            int c;
            c = *(source++);

...
            if (dtable[c] & 0x80) {
...

So c is declared as signed int (converted from signed char), but used as an array index. This leads to bad access to any value of c which is interpreted as a negative (which shouldn't happen in proper base64 but...). So making it unsigned should fix it.
 [2019-01-02 01:17 UTC] stas@php.net
-Status: Verified +Status: Analyzed -Assigned To: +Assigned To: stas -CVE-ID: +CVE-ID: needed
 [2019-01-02 01:17 UTC] stas@php.net 
Fix security repo as d4f58f35c369e5831fad27401cd9fe0d5aef62d5 and in https://gist.github.com/smalyshev/498c26052eb24b763888cf0fce5decd5

Please verify. 

I am not sure this can actually cause a security issue, since the range of memory it can read is limited and fixed, but maybe it's possible. So I guess it needs a CVE.
 [2019-01-07 08:10 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1cc2182bcc81e185c14837e659d12b268cb99d63
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:10 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-01-07 08:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1cc2182bcc81e185c14837e659d12b268cb99d63
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1cc2182bcc81e185c14837e659d12b268cb99d63
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1cc2182bcc81e185c14837e659d12b268cb99d63
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 08:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1cc2182bcc81e185c14837e659d12b268cb99d63
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-01-07 13:17 UTC] cmb@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=027f68ff10a439c5c331bcbfdd6eb2a5fca0948a
Log: Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
 [2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9024
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Mar 31 07:01:29 2025 UTC