php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #71408 Stack corruption via crafted pattern in preg_match
Submitted: 2016-01-18 15:17 UTC Modified: 2016-02-01 06:21 UTC
From: vuln-report at secur3 dot us Assigned: stas (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.2 OS: Ubuntu 15.10 x64 (4.2.0-18)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: vuln-report at secur3 dot us
New email:
PHP Version: OS:

 

 [2016-01-18 15:17 UTC] vuln-report at secur3 dot us
Description:
------------
While fuzzing preg_match with afl-fuzz, I found a pattern that causes a segfault.  Examination with gdb indicates that the stack has been corrupted.  (The bt output is provided in the actual result section.

The crashing pattern was tested with a clean build of the php-7.0.2 tag from GitHub.  It was configured with defaults (./buildconf && ./configure && make) using ./sapi/cli/php as the tested binary.

Test script:
---------------
./sapi/cli/php -r 'preg_match("/(?(199999999999999999)(()())())/","abcdef", $matches, PREG_OFFSET_CAPTURE);'

Expected result:
----------------
No output should be returned

Actual result:
--------------
Segmentation Fault

GDB Backtrace does not make sense:
(gdb) bt
#0  0x00007ffff7f66086 in ?? ()
#1  0x0000000000000000 in ?? ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-18 18:27 UTC] stas@php.net
This looks like PCRE issue, I would suggest submitting it upstream.
 [2016-01-19 11:17 UTC] vuln-report at secur3 dot us
This is already fixed upstream.  Item number 8 in the ChangeLog for 8.38 says:

8.  There was no check for integer overflow in subroutine calls such as (?123).
 [2016-02-01 06:21 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-02-01 06:21 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

PCRE upgraded to 8.38
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Oct 19 10:01:26 2019 UTC