php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73122 Integer Overflow when concatenating strings
Submitted: 2016-09-20 10:06 UTC Modified: 2021-08-17 14:07 UTC
Votes:3
Avg. Score:3.0 ± 1.6
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tloi at fortinet dot com Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: master-Git-2016-09-20 (Git) OS:
Private report: No CVE-ID: 2017-8923
 [2016-09-20 10:06 UTC] tloi at fortinet dot com
Description:
------------
Recently I notice php has been patched several times to prevent generating negative-length string to mitigate security issue. But the concat operation can still be used to overflow the length of string.

PoC ran on 32 bit version

This can be patched by checking len in either:

ZEND_CONCAT_*() functions in Zend_vm_execute.h 
or
zend_string_extend() function in Zend_string.h


Test script:
---------------
<?php
ini_set('memory_limit', -1);
$a = str_repeat('a',0x7fffffff)."aa";
print strlen($a);
?>

Expected result:
----------------
zend_throw_error(NULL, "String size overflow");

Actual result:
--------------
➜  bin ./php -v
PHP 7.2.0-dev (cli) (built: Sep 20 2016 16:41:04) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies
➜  bin ./php poc.php
-2147483647#


===================
on another machine with php from ubuntu's official repository:
root@ubuntu-4gb-sgp1-01:~# php -v
PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies
root@ubuntu-4gb-sgp1-01:~# php poc.php


mmap() failed: [12] Cannot allocate memory
[1]    16589 segmentation fault (core dumped)  php poc.php

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-20 16:26 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-11-13 09:53 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2017-8923
 [2018-03-02 18:52 UTC] contacto at agora-security dot com
Has this issue been fixed?
I don't see any reference about it in the Changelog:
http://www.php.net/ChangeLog-7.php#7.1.5
 [2021-08-17 14:00 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/f1ce8d5f5839cb2069ea37ff424fb96b8cd6932d
Log: Fix #73122: Integer Overflow when concatenating strings
 [2021-08-17 14:00 UTC] git@php.net
-Status: Open +Status: Closed
 [2021-08-17 14:07 UTC] cmb@php.net
-Status: Closed +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-08-17 14:07 UTC] cmb@php.net
This ticket has been closed accidentially.

Note that this is not a security issue, so there shouldn't be a
CVE. Since it obviously has already been assigned, I'm not sure
what to do here.
 [2021-08-17 14:08 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #73122: Integer Overflow when concatenating strings
On GitHub:  https://github.com/php/php-src/pull/7381
Patch:      https://github.com/php/php-src/pull/7381.patch
 [2021-08-18 12:55 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/0b7dffb41f0b571c00304c973f9b85ef910d43d9
Log: Fix #73122: Integer Overflow when concatenating strings
 [2021-08-18 12:55 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Sep 16 19:03:38 2021 UTC