php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54304 Invalid read in RegexIterator::accept() causes crash
Submitted: 2011-03-18 11:21 UTC Modified: 2011-09-12 13:22 UTC
From: decoder-php at own-hero dot net Assigned: pajoye
Status: Closed Package: Reproducible crash
PHP Version: 5.3.6 OS: Linux x86-64
Private report: No CVE-ID:
 [2011-03-18 11:21 UTC] decoder-php at own-hero dot net
Description:
------------
The attached code crashes on PHP 5.3 and trunk. It seems particularly dangerous because the address where the invalid read happens is directly assignable. I didn't have more time to look into this but it might be possible to do arbitrary memory reading with this vulnerability.

Test script:
---------------
<?php
class foo extends ArrayIterator {
        public function __construct( ) {
                parent::__construct(array(
                'test3'=>'test999'));
        }
}
$h = new foo;
$i = new RegexIterator($h, '/^test(.*)/', RegexIterator::REPLACE);
$i->replacement = 3735928559; // 0xdeadbeef
foreach ($i as $name=>$value) {
}
?>

Actual result:
--------------
==22309== Invalid read of size 1
==22309==    at 0x497700: php_pcre_replace_impl (php_pcre.c:1088)
==22309==    by 0x62E77E: zim_spl_RegexIterator_accept (spl_iterators.c:1919)
==22309==    by 0x7C3A40: zend_call_function (zend_execute_API.c:986)
==22309==    by 0x7EF6A1: zend_call_method (zend_interfaces.c:97)   
==22309==    by 0x62DD39: spl_filter_it_fetch (spl_iterators.c:1724)
==22309==    by 0x62DE07: spl_filter_it_rewind (spl_iterators.c:1743)
==22309==    by 0x62DE96: zim_spl_FilterIterator_rewind (spl_iterators.c:1763)
==22309==    by 0x7C3A40: zend_call_function (zend_execute_API.c:986)
==22309==    by 0x7EF6A1: zend_call_method (zend_interfaces.c:97)   
==22309==    by 0x7EFCFF: zend_user_it_rewind (zend_interfaces.c:261)
==22309==    by 0x88CBE0: ZEND_FE_RESET_SPEC_CV_HANDLER (zend_vm_execute.h:22724)
==22309==    by 0x80693D: execute (zend_vm_execute.h:107)
==22309==  Address 0xdeadbeef is not stack'd, malloc'd or (recently) free'd
==22309==
==22309==
==22309== Process terminating with default action of signal 11 (SIGSEGV)
==22309==  Access not within mapped region at address 0xDEADBEEF


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-23 01:57 UTC] felipe@php.net
I can't reproduce it on 32bit.
 [2011-03-23 01:58 UTC] felipe@php.net
-Summary: Crash in php_pcre_replace_impl +Summary: Invalid read in RegexIterator::accept() causes crash
 [2011-09-12 11:46 UTC] bjori@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bjori
 [2011-09-12 11:46 UTC] bjori@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

http://svn.php.net/viewvc?view=revision&revision=316528
 [2011-09-12 12:09 UTC] pajoye@php.net
-Status: Closed +Status: Re-Opened
 [2011-09-12 12:09 UTC] pajoye@php.net
The fix is wrong, reopening this issue.
 [2011-09-12 13:04 UTC] pajoye@php.net
-Assigned To: bjori +Assigned To: pajoye
 [2011-09-12 13:04 UTC] pajoye@php.net
taking the end on that one, fix already done. Tests running.
 [2011-09-12 13:22 UTC] bjori@php.net
-Status: Re-Opened +Status: Closed
 [2011-09-12 17:20 UTC] bjori@php.net
Automatic comment from SVN on behalf of bjori
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=316561
Log: Test for non-string replacement, bug#54304
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC