php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72837 integer overflow in bzdecompress caused heap corruption
Submitted: 2016-08-15 07:03 UTC Modified: 2017-02-13 01:56 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas
Status: Closed Package: Bzip2 Related
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID:
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
45 + 33 = ?
Subscribe to this entry?

 
 [2016-08-15 07:03 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
In bzdecompress function, result length was not be checked, so the function will return a string with length > INT_MAX. This result can be used some where else and caused heap corruption. Check PoC below.


static PHP_FUNCTION(bzdecompress)
{
	...
		bzs.avail_out = source_len;
		size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
		dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size );// the result of dest is the string with length > INT_MAX
		bzs.next_out = dest + size;
	}
        ...

Test script:
---------------
<?php

ini_set('memory_limit', -1);


$bzstr = file_get_contents("bz.txt"); //bz.txt download here: 
https://mega.nz/#!Lk9TRQLQ!rNsKNalS77X_GujsMrhZX-KOI4tv5mT-CjgQbbX_OSc

var_dump(strlen($bzstr));
$str1 = bzdecompress($bzstr);
var_dump(strlen($str1));


chunk_split($str1, 11, $str1);
?>


Expected result:
----------------
No crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testbbz2_negativelength.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(138533)
int(-1431655772)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x00000000006b053f in zif_chunk_split (ht=<optimized out>, return_value=0x7ffff7fa4330, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2221
#2  0x00000000007f908d in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x0000000000783b4e in execute_ex (execute_data=0x7ffff7f6f218) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#4  0x000000000074ed41 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#5  0x00000000006ed0d0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd0e0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#6  0x00000000007faa97 in do_cli (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#7  0x00000000004361e4 in main (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-16 06:18 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-08-16 06:18 UTC] stas@php.net
The fix is in security repo as 27b9daa8f58defdfce71163340ff58374cc5eb4f and in https://gist.github.com/2019d9cbc3808628f8b87c0cb80b3139

please verify
 [2016-08-16 07:17 UTC] minhrau dot vc dot 365 at gmail dot com
The patch looks good.
 [2016-08-17 05:57 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cfdeedd98558a7f946ed79f7100812dc2a43abfe
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cfdeedd98558a7f946ed79f7100812dc2a43abfe
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67d0fe39ee554563476ecae13c626580ae1a6612
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cfdeedd98558a7f946ed79f7100812dc2a43abfe
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67d0fe39ee554563476ecae13c626580ae1a6612
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-08-17 12:04 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a20112a1d69e550fafee88aa9065851925bcf3e0
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-08-18 11:15 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=69236ea9793b76b778c6cd64748cfee817521118
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cfdeedd98558a7f946ed79f7100812dc2a43abfe
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67d0fe39ee554563476ecae13c626580ae1a6612
Log: Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
 [2017-02-13 01:56 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC