php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69824 Core functions makes string overflow possible introducing strange behaviours
Submitted: 2015-06-13 23:21 UTC Modified: -
From: grzegorz129 at gmail dot com Assigned:
Status: Open Package: Strings related
PHP Version: 5.6.10 OS: OSX, Linux
Private report: No CVE-ID: None
 [2015-06-13 23:21 UTC] grzegorz129 at gmail dot com
Description:
------------
Everyone is worried about producing a block hole in LHC, but no one is watching evil PHP programmers at their homes. After years of hard work I made it! Black hole is alive, it consumes everything... it even forced strlen() to provide value below 0 ;)

Speaking serious when I saw documentation note about strings length ("Note: string can be as large as up to 2GB (2147483647 bytes maximum)") I instantly started wondering if it's possible to break that limit and what will happen after.
After some experiments I observed that some functions can create strings bigger than 2147483647 bytes.

First script result looks funny but it's little boring. I started digging more and created second one. After even more digging I noticed memory allocation problem (3rd script) but what's the fun without segfault?
Finally I created segfault using 4rd script. Unfortunately I'm unable to provide backtrace since I don't have machine with newest PHP build with debug enabled.


So yeah, string boundaries can be exploited and than PHP starts behaving strangely ;)

Test script:
---------------
<?php
ini_set('memory_limit', '10G');
$size = (1024 * 1024 * 1024); //1 gigabyte
$test = str_repeat('a', $size);
$test2 = $test.$test;
//Result: PHP Fatal error:  Allowed memory size of 10737418240 bytes exhausted (tried to allocate 18446744071562067969 bytes)

------------------------------------
<?php
ini_set('memory_limit', '10G');
$size = (1024 * 1024 * 1024); //1 gigabyte
$test = str_repeat('a', $size);
$test2 = str_repeat($test, 2);
var_dump(strlen($test2)); //Result: -2
echo $test2; //Prints nothing


------------------------------------
<?php
ini_set('memory_limit', '10G');
$size = 2147483648;
$test = str_repeat('a', $size);
strlen( substr( str_repeat($test, 2), 1) );

------------------------------------
<?php
ini_set('memory_limit', '10G');
$size = 2147483648;
$test = str_repeat('a', $size);
$x[$test] = '';

var_dump($x);



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-14 00:36 UTC] grzegorz129 at gmail dot com
I forgot to mention actual result of 3rd script: Fatal error: Possible integer overflow in memory allocation (18446744071562067968 * 2 + 1)
 [2015-06-14 01:58 UTC] grzegorz129 at gmail dot com
I also found that following two operations on files can produce segfaults:

1st:
$fp = fopen('/dev/zero', 'r');
$test = fread($fp, 2147483648);

2nd:
file('test.bin'); //File is 2147483648 bytes


I tested all the codes on 5.6.7 (just checked it wasn't updated to 5.6.10), but 7.0 have regress (at least in term of arrays): http://3v4l.org/SDghN
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 05 10:01:32 2024 UTC