PHP :: Bug #70667 :: strtr() causes invalid writes and a crashes

Bug #70667	strtr() causes invalid writes and a crashes
Submitted:	2015-10-08 11:05 UTC	Modified:	2015-10-08 11:05 UTC
From:	tony2001@php.net	Assigned:	dmitry (profile)
Status:	Closed	Package:	Strings related
PHP Version:	7.0Git-2015-10-08 (Git)	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 35 - 4 = ?
Subscribe to this entry?

[2015-10-08 11:05 UTC] tony2001@php.net

Description:
------------
The test example causes invalid writes and a crash in php_strtr_array().
It seems that the problem is in num_bitset allocation, it's too small to store all the bits, which results in a buffer overflow.


Test script:
---------------
$a = array("{{language_id}}"=>"255", "{{partner_name}}"=>"test1");
var_dump(strtr("Sign in to test1", $a));

Expected result:
----------------
.

Actual result:
--------------
==9676== Invalid read of size 8
==9676==    at 0x5A4212: php_strtr_array (string.c:3029)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)
==9676==  Address 0x67a1730 is 0 bytes after a block of size 16 alloc'd
==9676==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9676==    by 0x63EF22: _emalloc (zend_alloc.c:2410)
==9676==    by 0x63F298: _safe_emalloc (zend_alloc.c:2482)
==9676==    by 0x63F3BB: _ecalloc (zend_alloc.c:2505)
==9676==    by 0x5A40E3: php_strtr_array (string.c:3007)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-10-08 11:05 UTC] tony2001@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry

[2015-10-08 11:33 UTC] dmitry@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)

[2015-10-08 11:33 UTC] dmitry@php.net

-Status: Assigned +Status: Closed

[2015-10-13 10:12 UTC] ab@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)

[2016-07-20 11:36 UTC] davey@php.net

Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 14:00:01 2025 UTC