php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73011 integer overflow in fgets cause heap corruption
Submitted: 2016-09-04 11:37 UTC Modified: 2017-02-13 01:25 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: Filesystem function related
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-04 11:37 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
 Integer overflow in function fgets lead to heap corruption. Please check comment below:

PHPAPI PHP_FUNCTION(fgets)
{
	zval *res;
	long len = 1024;
	char *buf = NULL;
	int argc = ZEND_NUM_ARGS();
	size_t line_len = 0;
	php_stream *stream;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|l", &res, &len) == FAILURE) {
		RETURN_FALSE;
	}

	PHP_STREAM_TO_ZVAL(stream, &res);

	if (argc == 1) {
		/* ask streams to give us a buffer of an appropriate size */
		buf = php_stream_get_line(stream, NULL, 0, &line_len); //<- return string with size_t length
		if (buf == NULL) {
			goto exit_failed;
		}
	} else if (argc > 1) {
		if (len <= 0) {
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be greater than 0");
			RETURN_FALSE;
		}

		buf = ecalloc(len + 1, sizeof(char));
		if (php_stream_get_line(stream, buf, len, &line_len) == NULL) {
			goto exit_failed;
		}
	}
	//didn't check for len > INT_MAX				
	ZVAL_STRINGL(return_value, buf, line_len, 0);

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$fd = fopen("/opt/lampp/htdocs/a", "r"); //file a with line > max_int
$str1 = fgets($fd);
var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>


Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testfgets.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

int(-2147483523)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a59a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff10a59a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
#1  0x000000000085c99e in zif_chunk_split (ht=3, return_value=0x7ffff7fa14c0, return_value_ptr=0x7ffff7f6c0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009cca94 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009d46c4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009caf87 in execute_ex (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009cb973 in zend_execute (op_array=0x7ffff7fa08d8) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000986e73 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008f7dcf in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000aa9bf5 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000aaac43 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378
(gdb) 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-04 11:39 UTC] minhrau dot vc dot 365 at gmail dot com
-Package: *General Issues +Package: Filesystem function related
 [2016-09-04 11:39 UTC] minhrau dot vc dot 365 at gmail dot com
change the package name
 [2016-09-05 05:22 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-05 05:22 UTC] stas@php.net
The fix is in security repo as aec5ab899f9de6cf11ded9c77b649b34f5fcb643 and in https://gist.github.com/ba06b796489e3c50924f2bb3c99012b0

please verify
 [2016-09-05 05:26 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.

can i request cve for this?
 [2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:25 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC