php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73016 integer overflow in recode_string caused heap corruption
Submitted: 2016-09-05 02:12 UTC Modified: 2017-02-13 01:25 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: Recode related
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
 [2016-09-05 02:12 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
Integer overflow in function recode_string lead to heap corruption. Please check comment below:

PHP_FUNCTION(recode_string)
{
	RECODE_REQUEST request = NULL;
	char *r = NULL;
	size_t r_len = 0, r_alen = 0;
	int req_len, str_len;
	char *req, *str;
...
	
	recode_buffer_to_buffer(request, str, str_len, &r, &r_len, &r_alen); //this function create return buffer with length > INT_MAX
...
	} else {
		RETVAL_STRINGL(r, r_len, 1); 
		free(r);
	}

	recode_delete_request(request);

	return;
}

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$str = str_repeat('>', 0xffffffff/6);

var_dump(strlen($str));

$str1 = recode_string("utf-8..html", $str);

var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>



Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testrecode.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(715827882)
int(-1431655768)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
#1  0x000000000084a05d in zif_chunk_split (ht=3, return_value=0x7ffff7fa1ec0, return_value_ptr=0x7ffff7f6c0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009ba153 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009c1d83 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009b8646 in execute_ex (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009b9032 in zend_execute (op_array=0x7ffff7fa08d8) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000974532 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008e548e in php_execute_script (primary_file=0x7fffffffe290) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000a972b4 in do_cli (argc=2, argv=0x136a960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000a98302 in main (argc=2, argv=0x136a960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378
(gdb) 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-05 05:22 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-05 05:22 UTC] stas@php.net
The fix is in security repo as aec5ab899f9de6cf11ded9c77b649b34f5fcb643 and in https://gist.github.com/ba06b796489e3c50924f2bb3c99012b0

please verify
 [2016-09-05 05:26 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.

can i request cve for this?
 [2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:25 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC