php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72849 integer overflow in urlencode caused heap corruption
Submitted: 2016-08-16 07:45 UTC Modified: 2017-02-13 01:44 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas
Status: Closed Package: URL related
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID:
 [2016-08-16 07:45 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
An integer overflow in function php_quot_print_encode, will lead to heap
corruption. Please check the detail of this vuln in comment below:


PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
{
	register unsigned char c;
	unsigned char *to, *start;
	unsigned char const *from, *end;

	from = (unsigned char *)s;
	end = (unsigned char *)s + len;
	start = to = (unsigned char *) safe_emalloc(3, len, 1); // // the size of safe_emalloc is larger than INT_MAX

	while (from < end) {
		c = *from++;
...

Test script:
---------------
<?php

ini_set('memory_limit', -1);


$str = str_repeat('<', 0xffffffff/4);

var_dump(strlen($str));


$str1 = urlencode($str);
var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>


Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testurlencode_negative.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(1073741823)
int(-1073741827)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1d92fd7 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff1d92fd7 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x00000000006b061f in zif_chunk_split (ht=<optimized out>, return_value=0x7ffff7fa4110, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2221
#2  0x00000000007f916d in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x0000000000783c2e in execute_ex (execute_data=0x7ffff7f6f238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#4  0x000000000074ee21 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#5  0x00000000006ed1b0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd0e0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#6  0x00000000007fab77 in do_cli (argc=2, argv=0xf8d960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#7  0x00000000004361e4 in main (argc=2, argv=0xf8d960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-16 23:01 UTC] stas@php.net
The fix is in security repo as 4e4934f83e2dc03874ca93df840e733b739a0703 and in https://gist.github.com/5e951dca547fdad11472264c40e7ee8e

please verify
 [2016-08-16 23:01 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-08-17 05:57 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b9e81e58440b9b5c07bf5435baef5531b2b318a0
Log: Fixed bug #72849 - integer overflow in urlencode
 [2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b9e81e58440b9b5c07bf5435baef5531b2b318a0
Log: Fixed bug #72849 - integer overflow in urlencode
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b9e81e58440b9b5c07bf5435baef5531b2b318a0
Log: Fixed bug #72849 - integer overflow in urlencode
 [2016-08-18 11:15 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dc223e524d640167c0f12e942eb52cabd6f89ee4
Log: Fixed bug #72849 - integer overflow in urlencode
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b9e81e58440b9b5c07bf5435baef5531b2b318a0
Log: Fixed bug #72849 - integer overflow in urlencode
 [2017-02-13 01:44 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 06:01:37 2017 UTC