PHP :: Bug #73187 :: transliterator_create_from

Bug #73187

transliterator_create_from_rules stack overflow

Submitted:

2016-09-27 16:28 UTC

Modified:

2018-05-15 16:18 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

fernando at null-life dot com

Assigned:

Status:

Wont fix

Package:

intl (PECL)

PHP Version:

7.0.11

OS:

Windows

Private report:

CVE-ID:

None

View Developer Edit

[2016-09-27 16:28 UTC] fernando at null-life dot com

Description:
------------
Attached code causes stack overflow on ICU code

Test script:
---------------
<?php

$v1=str_repeat("(", 0xffffff+1);
transliterator_create_from_rules($v1);


Expected result:
----------------
No crash

Actual result:
--------------
Exception Hash (Major/Minor): 0x2b73a693.0x7c0fb53c

 Hash Usage : Stack Trace:
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x2174
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Major+Minor : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Minor       : icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x25bd
Instruction Address: 0x000000006beb33c4

Description: Stack Exhaustion
Short Description: StackExhaustion
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Stack Exhaustion starting at icuin57!icu_57::RuleBasedTransliterator::getStaticClassID+0x0000000000002174 (Hash=0x2b73a693.0x7c0fb53c)

Stack Exhaustion is considered to be probably not exploitable.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-27 17:22 UTC] stas@php.net

This is probably because ICU parser is recursive. We can't do much about it and most probably ICU won't fix it either...

[2018-05-15 16:18 UTC] ab@php.net

-Status: Open +Status: Wont fix

[2018-05-15 16:18 UTC] ab@php.net

As per Stas comment, wont fix.

Thanks.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 05:00:01 2025 UTC