php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72138 Integer Overflow in Length of String-typed ZVAL
Submitted: 2016-05-02 10:08 UTC Modified: 2016-05-10 05:28 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.21 OS: *
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
30 - 29 = ?
Subscribe to this entry?

 
 [2016-05-02 10:08 UTC] taoguangchen at icloud dot com 
Description:
------------
```
typedef union _zvalue_value {
	long lval;					/* long value */
	double dval;				/* double value */
	struct {
		char *val;
		int len;
	} str;
	HashTable *ht;				/* hash table value */
	zend_object_value obj;
	} zvalue_value;
```

The len is defined as signed int, integer overflow is possible in some situations, that results in len into a negative value and get a corrupted string-typed ZVAL.

ex:

str_replace/str_ireplace
```
	Z_STRLEN_P(result) = len + (char_count * (to_len - 1));
```

PoC:

```
<?php

ini_set('memory_limit', -1);
$str = str_replace('B', 'AAAAAAAA', str_repeat('B', 0xffffffff/8));
var_dump(strlen($str));

?>
```

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-10 05:28 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Reproducible crash -PHP Version: 5.5.35 +PHP Version: 5.6.21
 [2016-05-10 05:28 UTC] stas@php.net 
This does not look like security issue - requires special code under unrealistic memory limit.
 [2016-06-14 08:04 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4c968c6ddd2d3eb46838db153264edf5c7b3fefa
Log: Fix bug #72138 - Integer Overflow in Length of String-typed ZVAL
 [2016-06-14 08:04 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-06-22 05:58 UTC] krakjoe@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4c968c6ddd2d3eb46838db153264edf5c7b3fefa
Log: Fix bug #72138 - Integer Overflow in Length of String-typed ZVAL
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Nov 05 10:00:02 2025 UTC