php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61487 integer overflow grapheme_stripos / grapheme_strpos
Submitted: 2012-03-23 07:23 UTC Modified: 2012-03-25 08:01 UTC
From: stas@php.net Assigned: stas (profile)
Status: Closed Package: intl (PECL)
PHP Version: 5.4SVN-2012-03-23 (SVN) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: stas@php.net
New email:
PHP Version: OS:

 

 [2012-03-23 07:23 UTC] stas@php.net
Description:
------------
Passing 2147483648 as offset argument to grapheme_strpos leads to crash on 32-bit 
machines. 

Test script:
---------------
grapheme_strpos(1,1,2147483648);


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-23 07:24 UTC] stas@php.net
Original bug report from Mateusz Goik


root@bt:~/fuz/exploit# gdb php
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/php...done.
(gdb) r grapheme_stripos.php
Starting program: /usr/local/bin/php grapheme_stripos.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xb5e83410 in memchr () from /lib/tls/i686/cmov/libc.so.6
(gdb) info stack
#0  0xb5e83410 in memchr () from /lib/tls/i686/cmov/libc.so.6
#1  0x0825ce03 in zend_memnstr (haystack=0x35b0279c <Address 0x35b0279c
out of bounds>, needle=0xb5b0278c "1", needle_len=1, end=0xb5b0279d "")
at /root/php-5.4.0/Zend/zend_operators.h:236
#2  0x0825d508 in zif_grapheme_stripos (ht=3, return_value=0xb5b026c0,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at
/root/php-5.4.0/ext/intl/grapheme/grapheme_string.c:222
#3  0x0859af62 in zend_do_fcall_common_helper_SPEC
(execute_data=0xb5ae8030) at /root/php-5.4.0/Zend/zend_vm_execute.h:642
#4  0x085a0766 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xb5ae8030) at /root/php-5.4.0/Zend/zend_vm_execute.h:2215
#5  0x08599f44 in execute (op_array=0xb5b024a0) at
/root/php-5.4.0/Zend/zend_vm_execute.h:410
#6  0x0856b7da in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /root/php-5.4.0/Zend/zend.c:1272
#7  0x084fcc3e in php_execute_script (primary_file=0xbffff348) at
/root/php-5.4.0/main/main.c:2473
#8  0x08662517 in do_cli (argc=2, argv=0xbffff5d4) at
/root/php-5.4.0/sapi/cli/php_cli.c:983
#9  0x086633fb in main (argc=2, argv=0xbffff5d4) at
/root/php-5.4.0/sapi/cli/php_cli.c:1356
(gdb) q
A debugging session is active.

    Inferior 1 [process 7182] will be killed.

Quit anyway? (y or n) y
root@bt:~/fuz/exploit# cat grapheme_stripos.php
<?php
grapheme_stripos(1,1,2147483648);
?>
root@bt:~/fuz/exploit#




root@bt:~/fuz/exploit# gdb php
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/bin/php...done.
(gdb) r grapheme_strpos.php
Starting program: /usr/local/bin/php grapheme_strpos.php
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0xb5e83410 in memchr () from /lib/tls/i686/cmov/libc.so.6
(gdb) info stack
#0  0xb5e83410 in memchr () from /lib/tls/i686/cmov/libc.so.6
#1  0x0825ce03 in zend_memnstr (haystack=0x35b026b8 <Address 0x35b026b8
out of bounds>, needle=0xb5b02710 "1", needle_len=1, end=0xb5b026b9 "")
at /root/php-5.4.0/Zend/zend_operators.h:236
#2  0x0825d251 in zif_grapheme_strpos (ht=3, return_value=0xb5b0269c,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=0) at
/root/php-5.4.0/ext/intl/grapheme/grapheme_string.c:149
#3  0x0859af62 in zend_do_fcall_common_helper_SPEC
(execute_data=0xb5ae8030) at /root/php-5.4.0/Zend/zend_vm_execute.h:642
#4  0x085a0766 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xb5ae8030) at /root/php-5.4.0/Zend/zend_vm_execute.h:2215
#5  0x08599f44 in execute (op_array=0xb5b0247c) at
/root/php-5.4.0/Zend/zend_vm_execute.h:410
#6  0x0856b7da in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /root/php-5.4.0/Zend/zend.c:1272
#7  0x084fcc3e in php_execute_script (primary_file=0xbffff348) at
/root/php-5.4.0/main/main.c:2473
#8  0x08662517 in do_cli (argc=2, argv=0xbffff5d4) at
/root/php-5.4.0/sapi/cli/php_cli.c:983
#9  0x086633fb in main (argc=2, argv=0xbffff5d4) at
/root/php-5.4.0/sapi/cli/php_cli.c:1356
(gdb) q
A debugging session is active.

    Inferior 1 [process 7193] will be killed.

Quit anyway? (y or n) y
root@bt:~/fuz/exploit# cat grapheme_strpos.php
<?php
grapheme_strpos(1,1,2147483648);
?>
root@bt:~/fuz/exploit#

Backtrack 5r2 / 32bit

root@bt:~/fuz/exploit# php -v
PHP 5.4.0 (cli) (built: Mar 14 2012 22:49:51)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

Mateusz Goik
 [2012-03-25 07:58 UTC] stas@php.net
-Type: Security +Type: Bug
 [2012-03-25 08:01 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2012-03-25 08:01 UTC] stas@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2012-03-25 08:03 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cd9cd36d7e81af19eba3631b371ec40658874a8b
Log: fix bug #61487 - bad bounds check in grapheme_strpos
 [2012-03-25 08:03 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cd9cd36d7e81af19eba3631b371ec40658874a8b
Log: fix bug #61487 - bad bounds check in grapheme_strpos
 [2012-03-25 08:03 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cd9cd36d7e81af19eba3631b371ec40658874a8b
Log: fix bug #61487 - bad bounds check in grapheme_strpos
 [2012-03-29 04:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cd9cd36d7e81af19eba3631b371ec40658874a8b
Log: fix bug #61487 - bad bounds check in grapheme_strpos
 [2014-10-07 23:28 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=cd9cd36d7e81af19eba3631b371ec40658874a8b
Log: fix bug #61487 - bad bounds check in grapheme_strpos
 [2014-10-07 23:39 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=cd9cd36d7e81af19eba3631b371ec40658874a8b
Log: fix bug #61487 - bad bounds check in grapheme_strpos
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 14 05:01:28 2024 UTC