|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #54681 addGlob() crashes on invalid flags
Submitted: 2011-05-07 00:58 UTC Modified: 2011-08-22 11:44 UTC
From: cxib at securityreason dot com Assigned: pajoye (profile)
Status: Closed Package: *General Issues
PHP Version: 5.3.6 OS: NetBSD
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: cxib at securityreason dot com
New email:
PHP Version: OS:


 [2011-05-07 00:58 UTC] cxib at securityreason dot com
For first function addGlob and addPattern are not described in manual

1629 	/* 1 == glob, 2==pcre */
1630 	if (type == 1) {
1631 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|la",
1632 	&pattern, &pattern_len, &flags, &options) == FAILURE) {
1633 	return;
1634 	}
1635 	} else {
1636 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sa",
1637 	&pattern, &pattern_len, &path, &path_len, &options) == FAILURE) {
1638 	return;
1639 	}
1640 	}

There are no GLOB flags validation like in php/glob(). So limit flags only to


    * GLOB_MARK - Adds a slash to each directory returned
    * GLOB_NOSORT - Return files as they appear in the directory (no
    * GLOB_NOCHECK - Return the search pattern if no files matching it
were found
    * GLOB_NOESCAPE - Backslashes do not quote metacharacters
    * GLOB_BRACE - Expands {a,b,c} to match 'a', 'b', or 'c'
    * GLOB_ONLYDIR - Return only directory entries which match the pattern
    * GLOB_ERR - Stop on read errors (like unreadable directories), by
default errors are ignored.

Test script:
The crash come, when we run libc/glob(3) function with incorrect flag.
Tested also on linux/ubuntu and (netbsd)

cx@cx64:~$ php -v
PHP 5.3.3-1ubuntu9.3 with Suhosin-Patch (cli) (built: Jan 12 2011 16:07:38)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
cx@cx64:~$ uname -a
Linux cx64 2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:39:03 UTC 2011
x86_64 GNU/Linux
cx@cx64:/www$ cat zip.php



?>cx@cx64:/www$ php zip.php
Segmentation fault

Actual result:
Segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-07 01:00 UTC]
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2011-05-07 01:27 UTC] cxib at securityreason dot com
use CVE-2011-1657
 [2011-05-07 02:26 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2011-05-07 02:26 UTC]
-CVE-ID: +CVE-ID: 2011-1657
 [2011-05-07 03:58 UTC]
-Summary: addGlob addPattern buffer overflow +Summary: addGlob() crashes on invalid flags
 [2011-05-07 03:58 UTC]
Hi, this is not a buffer overflow issue. But an error on glob() due the invalid (or unsupported) flags.

Anyway, the checks from glob() were added in the addGlob() method.

 [2011-05-07 03:58 UTC]
Automatic comment from SVN on behalf of felipe
Log: - Fixed bug #54681 (addGlob() crashes on invalid flags)
 [2011-05-07 03:58 UTC]
-Status: Assigned +Status: Closed
 [2011-05-07 03:58 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2011-05-07 03:59 UTC]
Automatic comment from SVN on behalf of felipe
Log: - BFN #54681
 [2011-05-07 21:16 UTC] cxib at securityreason dot com
I agree with you that the issue is due the invalid (or unsupported) flags. Consequently, it can lead to many others symptoms. With glob(3) function in linux, we can get stack exhaustion like was discovered in fnmatch/php.

However, in my opinion, the GNU was responsible for this bug. Not PHP. 

There is a big difference between glob (3) in the Linux and BSD. However, uncontrolled 'flag' parameter to the function glob in both cases will generate different susceptibility.

Thanks for fix
 [2011-08-20 14:52 UTC] max at cxib dot net
 [2011-08-21 11:54 UTC]
@max at cxib dot net

Still happening with the fix?
 [2011-08-22 11:44 UTC] cxib at securityreason dot com
no. just reported poc to confirm security problem under bsd
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jun 23 04:01:29 2024 UTC