|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73122 Integer Overflow when concatenating strings
Submitted: 2016-09-20 10:06 UTC Modified: 2021-08-17 14:07 UTC
Avg. Score:3.0 ± 1.6
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tloi at fortinet dot com Assigned: cmb (profile)
Status: Closed Package: Strings related
PHP Version: master-Git-2016-09-20 (Git) OS:
Private report: No CVE-ID: 2017-8923
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
40 + 16 = ?
Subscribe to this entry?

 [2016-09-20 10:06 UTC] tloi at fortinet dot com
Recently I notice php has been patched several times to prevent generating negative-length string to mitigate security issue. But the concat operation can still be used to overflow the length of string.

PoC ran on 32 bit version

This can be patched by checking len in either:

ZEND_CONCAT_*() functions in Zend_vm_execute.h 
zend_string_extend() function in Zend_string.h

Test script:
ini_set('memory_limit', -1);
$a = str_repeat('a',0x7fffffff)."aa";
print strlen($a);

Expected result:
zend_throw_error(NULL, "String size overflow");

Actual result:
➜  bin ./php -v
PHP 7.2.0-dev (cli) (built: Sep 20 2016 16:41:04) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies
➜  bin ./php poc.php

on another machine with php from ubuntu's official repository:
root@ubuntu-4gb-sgp1-01:~# php -v
PHP 7.0.8-0ubuntu0.16.04.2 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.8-0ubuntu0.16.04.2, Copyright (c) 1999-2016, by Zend Technologies
root@ubuntu-4gb-sgp1-01:~# php poc.php

mmap() failed: [12] Cannot allocate memory
[1]    16589 segmentation fault (core dumped)  php poc.php


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-20 16:26 UTC]
-Type: Security +Type: Bug
 [2017-11-13 09:53 UTC]
-CVE-ID: +CVE-ID: 2017-8923
 [2018-03-02 18:52 UTC] contacto at agora-security dot com
Has this issue been fixed?
I don't see any reference about it in the Changelog:
 [2021-08-17 14:00 UTC]
Automatic comment on behalf of cmb69
Log: Fix #73122: Integer Overflow when concatenating strings
 [2021-08-17 14:00 UTC]
-Status: Open +Status: Closed
 [2021-08-17 14:07 UTC]
-Status: Closed +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-08-17 14:07 UTC]
This ticket has been closed accidentially.

Note that this is not a security issue, so there shouldn't be a
CVE. Since it obviously has already been assigned, I'm not sure
what to do here.
 [2021-08-17 14:08 UTC]
The following pull request has been associated:

Patch Name: Fix #73122: Integer Overflow when concatenating strings
On GitHub:
 [2021-08-18 12:55 UTC]
Automatic comment on behalf of cmb69
Log: Fix #73122: Integer Overflow when concatenating strings
 [2021-08-18 12:55 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Feb 26 04:01:27 2024 UTC