php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72875 integer overflow in php_ldap_do_escape caused heap corruption
Submitted: 2016-08-18 03:56 UTC Modified: 2017-02-13 01:32 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: LDAP related
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-18 03:56 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
static void php_ldap_do_escape(const zend_bool *map, const char *value, size_t valuelen, char **result, size_t *resultlen)
{
	char hex[] = "0123456789abcdef";
	int i, p = 0;
	size_t len = 0;

	for (i = 0; i < valuelen; i++) {
		len += (map[(unsigned char) value[i]]) ? 3 : 1;
	}

	(*result) = (char *) safe_emalloc(1, len, 1);
	(*resultlen) = len;

	for (i = 0; i < valuelen; i++) {
		unsigned char v = (unsigned char) value[i];

		if (map[v]) {
			(*result)[p++] = '\\';
			(*result)[p++] = hex[v >> 4];  //p = -2147483647 will lead to head corruption
			(*result)[p++] = hex[v & 0x0f];
		} else {
			(*result)[p++] = v;
		}
	}

	(*result)[p++] = '\0';
}

Test script:
---------------
<?php

ini_set('memory_limit', -1);
$str = str_repeat('a', 0xffffffff/6+7);

var_dump(strlen($str));

$str1 = ldap_escape($str); //crash
?>

Expected result:
----------------
No crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testldap_escape_negative.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(715827889)

Program received signal SIGSEGV, Segmentation fault.
0x00000000006b5fcf in php_ldap_do_escape (map=0x7fffffffa720 '\001' <repeats 200 times>..., value=0x7fffc54bc030 'a' <repeats 200 times>..., valuelen=715827889, result=0x7fffffffa840, resultlen=0x7fffffffa830) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2658
2658				(*result)[p++] = hex[v & 0x0f];
(gdb) bt
#0  0x00000000006b5fcf in php_ldap_do_escape (map=0x7fffffffa720 '\001' <repeats 200 times>..., value=0x7fffc54bc030 'a' <repeats 200 times>..., valuelen=715827889, result=0x7fffffffa840, resultlen=0x7fffffffa830) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2658
#1  0x00000000006b6241 in zif_ldap_escape (ht=1, return_value=0x7ffff7f9ef68, return_value_ptr=0x7ffff7f6b140, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/ldap/ldap.c:2711
#2  0x00000000009652bf in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x000000000096ceef in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:2602
#4  0x00000000009637b2 in execute_ex (execute_data=0x7ffff7f6b238) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#5  0x000000000096419e in zend_execute (op_array=0x7ffff7f9f838) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:388
#6  0x000000000091f70e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#7  0x0000000000890619 in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#8  0x0000000000a42420 in do_cli (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#9  0x0000000000a4346e in main (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb) p p
$8 = -2147483647

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:23 UTC] stas@php.net
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-05 05:29 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.
 [2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:13 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:32 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 05:01:32 2024 UTC