|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-04 05:57 UTC] stas@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: stas
[2016-11-04 05:57 UTC] stas@php.net
[2017-02-13 01:06 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 19 07:01:27 2024 UTC |
Description: ------------ bzcompress function could output string larger than 2Gb when compressing string with high entropy. Test script: --------------- <?php ini_set('memory_limit', -1); $str = openssl_random_pseudo_bytes(0x7fffffff); // (1) generate high entropy string $str1 = bzcompress($str, 1); // (2) lowest compression level var_dump(strlen($str1)); ?> Expected result: ---------------- No crash. No string return since output is larger than 2Gb. Actual result: -------------- gdb-peda$ r ../test/string/test_bzcompress.php Starting program: /home/user/Desktop/php-5.6.27/sapi/cli/php ../test/string/test_bzcompress.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". int(-2130227446) // (2) string larger than 2Gb Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x7ffe6bc2ef7a RBX: 0x0 RCX: 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h") RDX: 0x7ffeeabba070 ("BZh11AY&SYǥÈ") RSI: 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h") RDI: 0x7ffff7fb94c0 --> 0x7ffeeabba070 ("BZh11AY&SYǥÈ") RBP: 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...) RSP: 0x7fffffffb990 --> 0x7 RIP: 0xa981a0 (<_zval_dtor_func+99>: movzx eax,BYTE PTR [rax]) R8 : 0x136 R9 : 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h") R10: 0x86f R11: 0x7ffff380f730 --> 0xfffda400fffda12f R12: 0x443a90 (<_start>: xor ebp,ebp) R13: 0x7fffffffe1a0 --> 0x2 R14: 0x0 R15: 0x0 EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0xa98198 <_zval_dtor_func+91>: mov eax,DWORD PTR [rax+0x8] 0xa9819b <_zval_dtor_func+94>: cdqe 0xa9819d <_zval_dtor_func+96>: add rax,rdx => 0xa981a0 <_zval_dtor_func+99>: movzx eax,BYTE PTR [rax] 0xa981a3 <_zval_dtor_func+102>: test al,al 0xa981a5 <_zval_dtor_func+104>: je 0xa981d4 <_zval_dtor_func+151> 0xa981a7 <_zval_dtor_func+106>: mov rax,QWORD PTR [rbp-0x8] 0xa981ab <_zval_dtor_func+110>: mov rax,QWORD PTR [rax] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffb990 --> 0x7 0008| 0x7fffffffb998 --> 0x4ff7f863f8 0016| 0x7fffffffb9a0 --> 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h") 0024| 0x7fffffffb9a8 --> 0x7ffff7fb94c0 --> 0x7ffeeabba070 ("BZh11AY&SYǥÈ") 0032| 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...) 0040| 0x7fffffffb9b8 --> 0xa830ef (<_zval_dtor+53>: jmp 0xa830f2 <_zval_dtor+56>) 0048| 0x7fffffffb9c0 ("/usr/local/lO") 0056| 0x7fffffffb9c8 --> 0x4f6c2f6c61 ('al/lO') [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000a981a0 in _zval_dtor_func (zvalue=0x7ffff7fb94c0, __zend_filename=0x10c4db8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f) at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36 36 CHECK_ZVAL_STRING_REL(zvalue); gdb-peda$ bt #0 0x0000000000a981a0 in _zval_dtor_func (zvalue=0x7ffff7fb94c0, __zend_filename=0x10c4db8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f) at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36 #1 0x0000000000a830ef in _zval_dtor (zvalue=0x7ffff7fb94c0, __zend_filename=0x10c4db8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f) at /home/user/Desktop/php-5.6.27/Zend/zend_variables.h:35 #2 0x0000000000a831ba in i_zval_ptr_dtor (zval_ptr=0x7ffff7fb94c0, __zend_filename=0x10c70a0 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc) at /home/user/Desktop/php-5.6.27/Zend/zend_execute.h:79 #3 0x0000000000a84493 in _zval_ptr_dtor (zval_ptr=0x7ffff7fbad88, __zend_filename=0x10c70a0 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc) at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:424 #4 0x0000000000a9870b in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fbad88) at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:188 #5 0x0000000000aad5db in i_zend_hash_bucket_delete ( ht=0x1457708 <executor_globals+360>, p=0x7ffff7fbad70) at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:182 #6 0x0000000000aad6b3 in zend_hash_bucket_delete ( ht=0x1457708 <executor_globals+360>, p=0x7ffff7fbad70) at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:192 #7 0x0000000000aaf3c6 in zend_hash_graceful_reverse_destroy ( ht=0x1457708 <executor_globals+360>) at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:613 #8 0x0000000000a83c8f in shutdown_executor () at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:244 #9 0x0000000000a9aa59 in zend_deactivate () at /home/user/Desktop/php-5.6.27/Zend/zend.c:960 #10 0x00000000009fbb34 in php_request_shutdown (dummy=0x0) at /home/user/Desktop/php-5.6.27/main/main.c:1899 #11 0x0000000000b59806 in do_cli (argc=0x2, argv=0x145c560) at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1181 #12 0x0000000000b5a098 in main (argc=0x2, argv=0x145c560) at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1382 #13 0x00007ffff369b830 in __libc_start_main (main=0xb5987b <main>, argc=0x2, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:291 #14 0x0000000000443ab9 in _start ()