php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #70667 strtr() causes invalid writes and a crashes
Submitted: 2015-10-08 11:05 UTC Modified: 2015-10-08 11:05 UTC
From: tony2001@php.net Assigned: dmitry (profile)
Status: Closed Package: Strings related
PHP Version: 7.0Git-2015-10-08 (Git) OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tony2001@php.net
New email:
PHP Version: OS:

 

 [2015-10-08 11:05 UTC] tony2001@php.net 
Description:
------------
The test example causes invalid writes and a crash in php_strtr_array().
It seems that the problem is in num_bitset allocation, it's too small to store all the bits, which results in a buffer overflow.


Test script:
---------------
$a = array("{{language_id}}"=>"255", "{{partner_name}}"=>"test1");
var_dump(strtr("Sign in to test1", $a));

Expected result:
----------------
.

Actual result:
--------------
==9676== Invalid read of size 8
==9676==    at 0x5A4212: php_strtr_array (string.c:3029)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)
==9676==  Address 0x67a1730 is 0 bytes after a block of size 16 alloc'd
==9676==    at 0x4C29110: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==9676==    by 0x63EF22: _emalloc (zend_alloc.c:2410)
==9676==    by 0x63F298: _safe_emalloc (zend_alloc.c:2482)
==9676==    by 0x63F3BB: _ecalloc (zend_alloc.c:2505)
==9676==    by 0x5A40E3: php_strtr_array (string.c:3007)
==9676==    by 0x5A5EE7: zif_strtr (string.c:3493)
==9676==    by 0x6CDD62: ZEND_DO_ICALL_SPEC_HANDLER (zend_vm_execute.h:583)
==9676==    by 0x6CD84C: execute_ex (zend_vm_execute.h:414)
==9676==    by 0x6CD92E: zend_execute (zend_vm_execute.h:458)
==9676==    by 0x671EFA: zend_execute_scripts (zend.c:1558)
==9676==    by 0x5E68CF: php_execute_script (main.c:2525)
==9676==    by 0x72EFD4: do_cli (php_cli.c:974)
==9676==    by 0x72FE56: main (php_cli.c:1345)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-10-08 11:05 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2015-10-08 11:33 UTC] dmitry@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 [2015-10-08 11:33 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2015-10-13 10:12 UTC] ab@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 [2016-07-20 11:36 UTC] davey@php.net 
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9af07e7119a150acd5911c97da5d91fe9e424570
Log: Fixed bug #70667 (strtr() causes invalid writes and a crashes)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 22:01:27 2024 UTC