php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70667 strtr() causes invalid writes and a crashes
Submitted: 2015-10-08 11:05 UTC Modified: 2015-10-08 11:05 UTC
From: tony2001@php.net Assigned: dmitry (profile)
Status: Closed Package: Strings related
PHP Version: 7.0Git-2015-10-08 (Git) OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tony2001@php.net
New email:
PHP Version: OS:

 

 [2015-10-08 11:05 UTC] tony2001@php.net 
Description:
------------
The test example causes invalid writes and a crash in php_strtr_array().
It seems that the problem is in num_bitset allocation, it's too small to store all the bits, which results in a buffer overflow.


Test script:
---------------
$a = array("{{language_id}}"=>"255", "{{partner_name}}"=>"test1");
var_dump(strtr("Sign in to test1", $a));

Expected result:
----------------
.

Actual result:
--------------
==9676== Invalid read of size 8
==9676==    at 0x5A4212: php_strtr_array (string.c:3029)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)
==9676==  Address 0x67a1730 is 0 bytes after a block of size 16 alloc'd
==9676==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9676==    by 0x63EF22: _emalloc (zend_alloc.c:2410)
==9676==    by 0x63F298: _safe_emalloc (zend_alloc.c:2482)
==9676==    by 0x63F3BB: _ecalloc (zend_alloc.c:2505)
==9676==    by 0x5A40E3: php_strtr_array (string.c:3007)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-08 11:05 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2015-10-08 11:33 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 [2015-10-08 11:33 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2015-10-13 10:12 UTC] ab@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 [2016-07-20 11:36 UTC] davey@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Oct 27 16:01:27 2024 UTC