php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #71408 Stack corruption via crafted pattern in preg_match
Submitted: 2016-01-18 15:17 UTC Modified: 2016-02-01 06:21 UTC
From: vuln-report at secur3 dot us Assigned: stas (profile)
Status: Closed Package: PCRE related
PHP Version: 7.0.2 OS: Ubuntu 15.10 x64 (4.2.0-18)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
49 + 44 = ?
Subscribe to this entry?

 
 [2016-01-18 15:17 UTC] vuln-report at secur3 dot us
Description:
------------
While fuzzing preg_match with afl-fuzz, I found a pattern that causes a segfault.  Examination with gdb indicates that the stack has been corrupted.  (The bt output is provided in the actual result section.

The crashing pattern was tested with a clean build of the php-7.0.2 tag from GitHub.  It was configured with defaults (./buildconf && ./configure && make) using ./sapi/cli/php as the tested binary.

Test script:
---------------
./sapi/cli/php -r 'preg_match("/(?(199999999999999999)(()())())/","abcdef", $matches, PREG_OFFSET_CAPTURE);'

Expected result:
----------------
No output should be returned

Actual result:
--------------
Segmentation Fault

GDB Backtrace does not make sense:
(gdb) bt
#0  0x00007ffff7f66086 in ?? ()
#1  0x0000000000000000 in ?? ()

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-18 18:27 UTC] stas@php.net
This looks like PCRE issue, I would suggest submitting it upstream.
 [2016-01-19 11:17 UTC] vuln-report at secur3 dot us
This is already fixed upstream.  Item number 8 in the ChangeLog for 8.38 says:

8.  There was no check for integer overflow in subroutine calls such as (?123).
 [2016-02-01 06:21 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-02-01 06:21 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

PCRE upgraded to 8.38
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 12:01:27 2024 UTC