php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #73136 NULL pointer dereference in mb_parse_str
Submitted: 2016-09-21 07:53 UTC Modified: 2016-10-12 00:01 UTC
From: minhrau dot vc dot 365 at gmail dot com Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.0.11 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: minhrau dot vc dot 365 at gmail dot com
New email:
PHP Version: OS:

Further comment on this bug is unnecessary.

 

 [2016-09-21 07:53 UTC] minhrau dot vc dot 365 at gmail dot com 
Description:
------------
There are a NULL pointer dereference in mb_parse_str. If the num of elements is large, will be not enough space for ecalloc function. So the ecalloc will fail and val_list will be null.

227		val_list = (char **)ecalloc(num, sizeof(char *));

After that, the reference to val_list will cause program to crash.

Test script:
---------------
<?php

ini_set('memory_limit', -1);

$str = "email=kehaovista@qq.com&city=shanghai&job=Phper".str_repeat('&a', 0xffffffff/8);

mb_parse_str($str, $result);

?>

Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/php-src/sapi/cli/php ~/phptestcase/testmb_parse_str.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Breakpoint 3, zend_parse_parameters (num_args=2, type_spec=0x10afdf5 "SS") at /home/minhrau/php-src/Zend/zend_API.c:957
957		int flags = 0;
(gdb) c
Continuing.

Breakpoint 3, zend_parse_parameters (num_args=2, type_spec=0x10c1012 "Sl") at /home/minhrau/php-src/Zend/zend_API.c:957
957		int flags = 0;
(gdb) c
Continuing.

Breakpoint 3, zend_parse_parameters (num_args=2, type_spec=0x107c02d "s|z/") at /home/minhrau/php-src/Zend/zend_API.c:957
957		int flags = 0;
(gdb) c
Continuing.

Breakpoint 4, zif_mb_parse_str (execute_data=0x7ffff0284100, return_value=0x7fffffffa8d0) at /home/minhrau/php-src/ext/mbstring/mbstring.c:2116
2116		if (track_vars_array != NULL) {
(gdb) c
Continuing.

Breakpoint 5, _php_mb_encoding_handler_ex (info=0x7fffffffa850, arg=0x1637a38, res=0x7fffb0283010 "email=kehaovista@qq.com&city=shanghai&job=Phper&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&"...) at /home/minhrau/php-src/ext/mbstring/mb_gpc.c:227
227		val_list = (char **)ecalloc(num, sizeof(char *));
(gdb) p num
$5 = 1073741828
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x000000000070a257 in _php_mb_encoding_handler_ex (info=0x7fffffffa850, arg=0x1637a38, res=0x7fffb0283010 "email") at /home/minhrau/php-src/ext/mbstring/mb_gpc.c:237
237				len_list[n] = php_url_decode(var, val-var);
(gdb) list
232		strtok_buf = NULL;
233		var = php_strtok_r(res, info->separator, &strtok_buf);
234		while (var)  {
235			val = strchr(var, '=');
236			if (val) { /* have a value */
237				len_list[n] = php_url_decode(var, val-var);
238				val_list[n] = var;
239				n++;
240	
241				*val++ = '\0';
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-25 23:20 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-09-25 23:20 UTC] stas@php.net 
Could not reproduce the issue. I get:

Warning: mb_parse_str(): Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in /Users/smalyshev/php-7.0/mamp/73136.php on line 7
 [2016-09-26 01:47 UTC] minhrau dot vc dot 365 at gmail dot com
-Status: Feedback +Status: Open
 [2016-09-26 01:47 UTC] minhrau dot vc dot 365 at gmail dot com 
Could you check your php.ini?

In default configuration, the line max_input_vars had been comment out.

; max_input_vars = 1000

Regards.
 [2016-09-26 02:50 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-09-26 02:50 UTC] stas@php.net 
The default for max_input_vars is 1000. Did you use any additional options? I still am unable to reproduce any issue.
 [2016-09-26 03:03 UTC] minhrau dot vc dot 365 at gmail dot com
-Status: Feedback +Status: Open
 [2016-09-26 03:03 UTC] minhrau dot vc dot 365 at gmail dot com 
I tried to add this line below into my testcase, its output is 1000. But I didn't get the "Warning: mb_parse_str(): Input variables exceeded 1000". But this is a warning, script will continue running?

echo ini_get("max_input_vars");

And must export this: export USE_ZEND_ALLOC=0 to use normal alloc.
 [2016-09-26 03:06 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2016-09-26 03:06 UTC] stas@php.net 
Please next time report all non-standard settings you used.

Setting USE_ZEND_ALLOC=0 overrides normal memory management, and in this case if you're out of memory you'd get segfault.
 [2016-09-26 03:06 UTC] minhrau dot vc dot 365 at gmail dot com
-Status: Not a bug +Status: Open -Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-09-26 03:06 UTC] minhrau dot vc dot 365 at gmail dot com 
The crash happen before reaching the Warning.

Just export USE_ZEND_ALLOC=0 and check again.

Thanks.
 [2016-09-26 03:11 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2016-09-26 03:11 UTC] stas@php.net 
Please stop.
 [2016-09-26 03:23 UTC] minhrau dot vc dot 365 at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-09-26 03:23 UTC] minhrau dot vc dot 365 at gmail dot com 
Hi,

This kind of bug is same as https://bugs.php.net/bug.php?id=72407 (failed on alloc new memory, use normal alloc).

The code should check the result of alloc. The null dereference happen when it access to null pointer. What is your expected here?
 [2016-09-26 04:04 UTC] minhrau dot vc dot 365 at gmail dot com
-Status: Not a bug +Status: Open
 [2016-09-26 04:04 UTC] minhrau dot vc dot 365 at gmail dot com 
please take a look
 [2016-09-27 02:52 UTC] minhrau dot vc dot 365 at gmail dot com
-Status: Open +Status: Assigned
 [2016-09-27 02:52 UTC] minhrau dot vc dot 365 at gmail dot com 
are there only this stas guy take care of security vulnerability of PHP?

Seem he did not take the problem seriously and and sometime I'm very disappointed with his decision in my reports!
 [2016-10-12 00:01 UTC] stas@php.net
-Status: Assigned +Status: Closed -Assigned To: +Assigned To: stas -Block user comment: No +Block user comment: Yes
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 27 12:01:29 2024 UTC