php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72927 integer overflow in xml_utf8_encode
Submitted: 2016-08-23 06:08 UTC Modified: 2017-02-13 01:27 UTC
From: ahihibughunter at gmail dot com Assigned: stas
Status: Closed Package: XML related
PHP Version: 5.6Git-2016-08-23 (Git) OS: All
Private report: No CVE-ID:
 [2016-08-23 06:08 UTC] ahihibughunter at gmail dot com
Description:
------------
in xml_utf8_encode function, the safe_emalloc did not check value it alloc for string, which used to store the result of encoded buffer. This cause the length of string after encode > INT_MAX.

PHPAPI char *xml_utf8_encode(const char *s, int len, int *newlen, const XML_Char *encoding)
{
..... 
newbuf = safe_emalloc(len, 4, 1); //<- muse check size of safe_emalloc here,
....
	} else if (c < 0x800) {
		newbuf[(*newlen)++] = (0xc0 | (c >> 6));
		newbuf[(*newlen)++] = (0x80 | (c & 0x3f));
...
}

Test script:
---------------
<?php                                     
ini_set('memory_limit', -1);              
$a = str_repeat('Ã', (0xffffffff/6) - 10);
$b = utf8_encode($a);                     
?>                                        

Expected result:
----------------
No crash

Actual result:
--------------
$gdb /data/php-src-PHP-5.6.25/sapi/cli/php                  
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.

Program received signal SIGSEGV, Segmentation fault.                                
0x000000000095b841 in xml_utf8_encode (                                             
    s=0x7fffd95e9070 'Ã' <repeats 100 times>..., len=1431655744,                    
    newlen=0x7fffffffabb0, encoding=0x10a27f1 "ISO-8859-1")                         
    at /data/php-src-PHP-5.6.25/ext/xml/xml.c:642 
642                             newbuf[(*newlen)++] = (0xc0 | (c >> 6));
(gdb)

                           

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-23 10:43 UTC] ahihibughunter at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-08-23 10:43 UTC] ahihibughunter at gmail dot com
I think this is security bug.
 [2016-09-02 06:32 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-02 06:32 UTC] stas@php.net
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in https://gist.github.com/39b697c75a0502e091a1191f83029034
please verify
 [2016-09-02 15:21 UTC] ahihibughunter at gmail dot com
The patch looks OK.
 [2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:27 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Jul 22 20:01:35 2017 UTC