php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72893 integer overflow in pg_escape_bytea caused heap corruption
Submitted: 2016-08-19 06:54 UTC Modified: 2017-02-13 01:29 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: PostgreSQL related
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-08-19 06:54 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
 There is integer overflow in pg_escape_bytea function, check comment below:

PHP_FUNCTION(pg_escape_bytea)
{
	

	switch (ZEND_NUM_ARGS()) {
		case 1:
			if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &from, &from_len) == FAILURE) {
				return;
			}
			pgsql_link = NULL;
			id = PGG(default_link);
			break;

		default:
			if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &pgsql_link, &from, &from_len) == FAILURE) {
				return;
			}
			break;
	}


		to = (char *)PQescapeBytea((unsigned char*)from, from_len, &to_len); //this return string has length > INT_MAX. must check this legnth

Test script:
---------------
<?php

ini_set('memory_limit', -1);
$dbconn = pg_connect('dbname=foo');
$str = str_repeat('Ö', 0xffffffff/14);

var_dump(strlen($str));
// Escape the binary data
$escaped = pg_escape_bytea($str);

var_dump(strlen($escaped));
chunk_split($escaped, 11, $escaped);
?>

Expected result:
----------------
No crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testpg_escape_bytea.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Warning: pg_connect(): Unable to connect to PostgreSQL server: could not connect to server: No such file or directory
	Is the server running locally and accepting
	connections on Unix domain socket "/run/postgresql/.s.PGSQL.5432"? in /home/minhrau/phptestcase/testpg_escape_bytea.php on line 5
int(613566756)
int(-1227133516)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x000000000085c16f in zif_chunk_split (ht=3, return_value=0x7ffff7fa15d8, return_value_ptr=0x7ffff7f6b0e0, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2221
#2  0x00000000009cc114 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b278) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3  0x00000000009d3d44 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b278) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:2602
#4  0x00000000009ca607 in execute_ex (execute_data=0x7ffff7f6b278) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#5  0x00000000009caff3 in zend_execute (op_array=0x7ffff7f9f810) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:388
#6  0x0000000000986563 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#7  0x00000000008f746e in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#8  0x0000000000aa9275 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#9  0x0000000000aaa2c3 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb) 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:23 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:23 UTC] stas@php.net
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-05 05:28 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.
 [2016-09-13 04:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:13 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:29 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 07:01:28 2024 UTC