php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70667 strtr() causes invalid writes and a crashes
Submitted: 2015-10-08 11:05 UTC Modified: 2015-10-08 11:05 UTC
From: tony2001@php.net Assigned: dmitry
Status: Closed Package: Strings related
PHP Version: 7.0Git-2015-10-08 (Git) OS:
Private report: No CVE-ID:
 [2015-10-08 11:05 UTC] tony2001@php.net
Description:
------------
The test example causes invalid writes and a crash in php_strtr_array().
It seems that the problem is in num_bitset allocation, it's too small to store all the bits, which results in a buffer overflow.


Test script:
---------------
$a = array("{{language_id}}"=>"255", "{{partner_name}}"=>"test1");
var_dump(strtr("Sign in to test1", $a));

Expected result:
----------------
.

Actual result:
--------------
==9676== Invalid read of size 8
==9676==    at 0x5A4212: php_strtr_array (string.c:3029)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)
==9676==  Address 0x67a1730 is 0 bytes after a block of size 16 alloc'd
==9676==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9676==    by 0x63EF22: _emalloc (zend_alloc.c:2410)
==9676==    by 0x63F298: _safe_emalloc (zend_alloc.c:2482)
==9676==    by 0x63F3BB: _ecalloc (zend_alloc.c:2505)
==9676==    by 0x5A40E3: php_strtr_array (string.c:3007)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-08 11:05 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2015-10-08 11:33 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 [2015-10-08 11:33 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2015-10-13 10:12 UTC] ab@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC