php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67252 convert_uudecode out-of-bounds read
Submitted: 2014-05-12 03:22 UTC Modified: 2014-05-14 00:16 UTC
From: stas@php.net Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.28 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
23 - 16 = ?
Subscribe to this entry?

 
 [2014-05-12 03:22 UTC] stas@php.net
Description:
------------
convert_uudecode does not check the string length and thus tries to read past string end on short strings.

Test script:
---------------
$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."!.";


Expected result:
----------------
no memory errors

Actual result:
--------------
==4264== Invalid read of size 1
==4264==    at 0x7B9FCA: php_uudecode (uuencode.c:156)
==4264==    by 0x7BA0FB: zif_convert_uudecode (uuencode.c:216)
==4264==    by 0x8FA502: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550)
==4264==    by 0x8EBD9F: execute_ex (zend_vm_execute.h:363)
==4264==    by 0x877B28: zend_execute_scripts (zend.c:1316)
==4264==    by 0x819828: php_execute_script (main.c:2506)
==4264==    by 0x92863B: do_cli (php_cli.c:994)
==4264==    by 0x928DD7: main (php_cli.c:1378)
==4264==  Address 0x15ffb671 is 0 bytes after a block of size 65 alloc'd
==4264==    at 0x4C26FDE: malloc (vg_replace_malloc.c:236)
==4264==    by 0x870014: concat_function (zend_operators.c:1329)
==4264==    by 0x8D835F: ZEND_CONCAT_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:8510)
==4264==    by 0x8EBD9F: execute_ex (zend_vm_execute.h:363)
==4264==    by 0x877B28: zend_execute_scripts (zend.c:1316)
==4264==    by 0x819828: php_execute_script (main.c:2506)
==4264==    by 0x92863B: do_cli (php_cli.c:994)
==4264==    by 0x928DD7: main (php_cli.c:1378)


Patches

fix-uudecode (last revision 2014-05-12 03:30 UTC by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-12 03:23 UTC] stas@php.net
oops, script was cut off. Repro script is:

$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."!.";
var_dump(convert_uudecode($a));
 [2014-05-12 03:30 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: fix-uudecode
Revision:   1399865427
URL:        https://bugs.php.net/patch-display.php?bug=67252&patch=fix-uudecode&revision=1399865427
 [2014-05-14 00:16 UTC] stas@php.net
-Status: Open +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas
 [2014-05-14 00:16 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2014-05-14 07:57 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1e2818b143760a79a0887861bd6221b158355073
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-05-18 17:18 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1e2818b143760a79a0887861bd6221b158355073
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-05-26 06:32 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1e2818b143760a79a0887861bd6221b158355073
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-05-26 06:50 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1e2818b143760a79a0887861bd6221b158355073
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-07-29 21:56 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f527897fe3e333f43bbed67741287d355ab4b2b
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-08-14 15:34 UTC] johannes@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f527897fe3e333f43bbed67741287d355ab4b2b
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-08-14 19:32 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f527897fe3e333f43bbed67741287d355ab4b2b
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-10-07 23:14 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7f527897fe3e333f43bbed67741287d355ab4b2b
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-10-07 23:15 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=1e2818b143760a79a0887861bd6221b158355073
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-10-07 23:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=7f527897fe3e333f43bbed67741287d355ab4b2b
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=1e2818b143760a79a0887861bd6221b158355073
Log: Fix bug #67252: convert_uudecode out-of-bounds read
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 19:01:29 2024 UTC