php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72877 heap overflow in substr_replace
Submitted: 2016-08-18 05:23 UTC Modified: 2017-02-13 01:30 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.24 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-18 05:23 UTC] minhrau dot vc dot 365 at gmail dot com 
Description:
------------
<?php

ini_set('memory_limit', -1);
$str = str_repeat('a', 0xffffffff/2);

var_dump(strlen($str));
$str1 = substr_replace($str, 'bob', strlen($str));
?>


Test script:
---------------
<?php

ini_set('memory_limit', -1);
$str = str_repeat('a', 0xffffffff/2);

var_dump(strlen($str));
$str1 = substr_replace($str, 'bob', strlen($str));
?>

Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testsubstr_replace.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483647)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a2fee in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff10a2fee in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x00000000007f67d2 in zif_substr_replace (ht=3, return_value=0x7ffff7fa00d0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2422
#2  0x00000000009652bf in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b258) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x000000000096ceef in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b258) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:2602
#4  0x00000000009637b2 in execute_ex (execute_data=0x7ffff7f6b258) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#5  0x000000000096419e in zend_execute (op_array=0x7ffff7f9f7f0) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:388
#6  0x000000000091f70e in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#7  0x0000000000890619 in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#8  0x0000000000a42420 in do_cli (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#9  0x0000000000a4346e in main (argc=2, argv=0x11f8960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb) p f
No symbol "f" in current context.
(gdb) b string.c:2422
Breakpoint 1 at 0x7f67b0: file /home/minhrau/PHP-5.6.24/ext/standard/string.c, line 2422.
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testsubstr_replace.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483647)

Breakpoint 1, zif_substr_replace (ht=3, return_value=0x7ffff7fa00d0, return_value_ptr=0x7ffff7f6b160, this_ptr=0x0, return_value_used=1) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2422
2422				memcpy(result, Z_STRVAL_PP(str), f);
(gdb) p f
$1 = 2147483647
(gdb) p result_len
$2 = 3

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-19 07:33 UTC] minhrau dot vc dot 365 at gmail dot com 
Heap corruption in substr_replace due the integer overflow

PHP_FUNCTION(substr_replace)
{
	zval **str;
	zval **from;
	zval **len = NULL;
	zval **repl;
	char *result;
	int result_len;
	int l = 0;
	int f;
	int argc = ZEND_NUM_ARGS();

	HashPosition pos_str, pos_from, pos_repl, pos_len;
	zval **tmp_str = NULL, **tmp_from = NULL, **tmp_repl = NULL, **tmp_len= NULL;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZZ|Z", &str, &repl, &from, &len) == FAILURE) {
		return;
	}
...
			result_len = Z_STRLEN_PP(str) - l + repl_len; // result_len = 3
			result = emalloc(result_len + 1);

			memcpy(result, Z_STRVAL_PP(str), f); //but here f = 2147483647 -> cause the corruption
...
 [2016-09-02 06:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:23 UTC] stas@php.net 
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-05 05:29 UTC] minhrau dot vc dot 365 at gmail dot com 
Patch looks good.
 [2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:13 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2017-02-13 01:30 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 17 21:01:33 2024 UTC