php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73151 shell_exec could produce string larger than 2GB
Submitted: 2016-09-23 15:32 UTC Modified: 2017-02-13 01:17 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: Strings related
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: None
 [2016-09-23 15:32 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
Function shell_exec declare total_readbytes as size_t then later check for total_readbytes > 0. This could lead to output string is larger than INTMAX.

PHP_FUNCTION(shell_exec)
{
	FILE *in;
	size_t total_readbytes;
	char *command;
	int command_len;
	char *ret;
	php_stream *stream;

	...
        ...

	stream = php_stream_fopen_from_pipe(in, "rb");
	total_readbytes = php_stream_copy_to_mem(stream, &ret, PHP_STREAM_COPY_ALL, 0);
	php_stream_close(stream);

	if (total_readbytes > 0) {
		RETVAL_STRINGL(ret, total_readbytes, 0);  <- could produce string larger than 2Gb
	}
}


Test script:
---------------
Python script to create test file:
#! /usr/bin/env python

f = open('html.html', 'w');
f.write('<html>')

for _ in range(0x100):
    f.write('<p>')
    for _ in range(0x100):
        f.write('a'*(0x8000))
    f.write('</p>')

f.write('</html>')
f.close()


PHP script:
<?php
    ini_set("memory_limit", -1);
    
    $str = shell_exec('python -c "f = open(\'html.html\');data=f.read();f.close();print data"');
    
    var_dump(strlen($str));
?>

Expected result:
----------------
No string returned.

Actual result:
--------------
gdb-peda$ r ../test/string/test_shellexec.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test_shellexec.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New process 13361]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 13361 is executing new program: /bin/dash
[New process 13362]
process 13362 is executing new program: /usr/bin/python2.7
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 3 (process 13362) exited normally]

int(-2147481842) <- string larger than 2Gb


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-26 03:00 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-26 03:00 UTC] stas@php.net
Doesn't look like security issue, shell_exec return is not something that would be remotely-controlled.
 [2016-09-26 12:50 UTC] nguyenluan dot vnn at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-09-26 12:50 UTC] nguyenluan dot vnn at gmail dot com
PHP 5 does not allow any string could larger than 2Gb.

Like this bug https://bugs.php.net/bug.php?id=72807, I think this should be considered as security issue.
 [2016-11-04 05:55 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 05:55 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:17 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 03:01:25 2019 UTC