php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73045 integer overflow in fgetcsv caused heap corruption
Submitted: 2016-09-08 09:37 UTC Modified: 2017-02-13 01:24 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.25 OS: ALL
Private report: No CVE-ID: None
 [2016-09-08 09:37 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
The fgetcsv function will read file and parse it as csv. But if has has a csv field with length, it'll cause integer overflow and will lead to heap corruption:

PHPAPI void php_fgetcsv(php_stream *stream, char delimiter, char enclosure, char escape_char, size_t buf_len, char *buf, zval *return_value TSRMLS_DC) /* {{{ */
{
	char *temp, *tptr, *bptr, *line_end, *limit;
	size_t temp_len, line_end_len;
	int inc_len;
	zend_bool first_field = 1;

...
	temp_len = buf_len;
	temp = emalloc(temp_len + line_end_len + 1); //this value here will be overflow integer

	/* Initialize return array */
	array_init(return_value);

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$handle = fopen("/opt/lampp/htdocs/a", "r");
/*use python to create this file:
>>> f = open("/opt/lampp/htdocs/a", 'w')
>>> f.write("a,"+"A"*(0xffffffff/2+1000))
>>> f.close()
*/
$str1 = fgetcsv($handle); 
 
var_dump(strlen($str1[1]));

chunk_split($str1[1], 11, $str1[1]);
?>


Expected result:
----------------
No crash

Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testfgetcsv.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".


Breakpoint 1, php_fgetcsv (stream=0x7ffff7fa1190, delimiter=44 ',', enclosure=34 '"', escape_char=92 '\\', buf_len=2147484649, buf=0x7ffef0726030 "a,", 'A' <repeats 198 times>..., return_value=0x7ffff7fa0018) at /home/minhrau/PHP-5.6.25/ext/standard/file.c:2072
2072		temp = emalloc(temp_len + line_end_len + 1);
(gdb) p temp_len + line_end_len + 1
$1 = 2147484650
(gdb)c
int(-2147482649)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff11ff9a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-12 03:56 UTC] stas@php.net
Most probably fixed by https://gist.github.com/39b697c75a0502e091a1191f83029034 but there's size_t/uint conversion so to be sure I'll add a check.
 [2016-09-12 03:59 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-13 04:11 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-09-13 04:11 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:24 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 09:01:26 2024 UTC