php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73122 Integer Overflow when concatenating strings
Submitted: 2016-09-20 10:06 UTC Modified: 2017-11-13 09:53 UTC
Votes:3
Avg. Score:3.0 ± 1.6
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tloi at fortinet dot com Assigned:
Status: Open Package: Strings related
PHP Version: master-Git-2016-09-20 (Git) OS:
Private report: No CVE-ID: 2017-8923
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
32 - 21 = ?
Subscribe to this entry?

 
 [2016-09-20 10:06 UTC] tloi at fortinet dot com
Description:
------------
Recently I notice php has been patched several times to prevent generating negative-length string to mitigate security issue. But the concat operation can still be used to overflow the length of string.

PoC ran on 32 bit version

This can be patched by checking len in either:

ZEND_CONCAT_*() functions in Zend_vm_execute.h 
or
zend_string_extend() function in Zend_string.h


Test script:
---------------
<?php
ini_set('memory_limit', -1);
$a = str_repeat('a',0x7fffffff)."aa";
print strlen($a);
?>

Expected result:
----------------
zend_throw_error(NULL, "String size overflow");

Actual result:
--------------
➜  bin ./php -v
PHP 7.2.0-dev (cli) (built: Sep 20 2016 16:41:04) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies
➜  bin ./php poc.php
-2147483647#


===================
on another machine with php from ubuntu's official repository:
root@ubuntu-4gb-sgp1-01:~# php -v
PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies
root@ubuntu-4gb-sgp1-01:~# php poc.php


mmap() failed: [12] Cannot allocate memory
[1]    16589 segmentation fault (core dumped)  php poc.php

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-20 16:26 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-11-13 09:53 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2017-8923
 [2018-03-02 18:52 UTC] contacto at agora-security dot com
Has this issue been fixed?
I don't see any reference about it in the Changelog:
http://www.php.net/ChangeLog-7.php#7.1.5
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Apr 01 11:01:23 2020 UTC