php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72138 Integer Overflow in Length of String-typed ZVAL
Submitted: 2016-05-02 10:08 UTC Modified: 2016-05-10 05:28 UTC
From: taoguangchen at icloud dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.21 OS: *
Private report: No CVE-ID: None
 [2016-05-02 10:08 UTC] taoguangchen at icloud dot com
Description:
------------
```
typedef union _zvalue_value {
	long lval;					/* long value */
	double dval;				/* double value */
	struct {
		char *val;
		int len;
	} str;
	HashTable *ht;				/* hash table value */
	zend_object_value obj;
	} zvalue_value;
```

The len is defined as signed int, integer overflow is possible in some situations, that results in len into a negative value and get a corrupted string-typed ZVAL.

ex:

str_replace/str_ireplace
```
	Z_STRLEN_P(result) = len + (char_count * (to_len - 1));
```

PoC:

```
<?php

ini_set('memory_limit', -1);
$str = str_replace('B', 'AAAAAAAA', str_repeat('B', 0xffffffff/8));
var_dump(strlen($str));

?>
```


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-10 05:28 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Reproducible crash -PHP Version: 5.5.35 +PHP Version: 5.6.21
 [2016-05-10 05:28 UTC] stas@php.net
This does not look like security issue - requires special code under unrealistic memory limit.
 [2016-06-14 08:04 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4c968c6ddd2d3eb46838db153264edf5c7b3fefa
Log: Fix bug #72138 - Integer Overflow in Length of String-typed ZVAL
 [2016-06-14 08:04 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-06-22 05:58 UTC] krakjoe@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4c968c6ddd2d3eb46838db153264edf5c7b3fefa
Log: Fix bug #72138 - Integer Overflow in Length of String-typed ZVAL
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC