php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73357 crash in gzcompress and 3 other compress functions
Submitted: 2016-10-20 13:58 UTC Modified: 2017-02-13 01:05 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: Zlib related
PHP Version: 5.6.27 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-20 13:58 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
zlib.c define the macro PHP_ZLIB_ENCODE_FUNC. 4 funtions zlib_encode, gzdeflate, gzencode and gzcompress use this macro may produce output string larger than 2Gb.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    
    $str = openssl_random_pseudo_bytes(0x7fffffff);  // (1) high entropy string
    $str1 = gzcompress($str, 1);
    
    var_dump(strlen($str1));
?>

Expected result:
----------------
No crash. No string return since output larger than 2Gb.

Actual result:
--------------
gdb-peda$ r ../test/string/test_gzcompress.php 
Starting program: /home/user/Desktop/php-5.6.27/sapi/cli/php ../test/string/test_gzcompress.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
int(-2147118876)  // String larger than 2Gb

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffe6a110154 
RBX: 0x0 
RCX: 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
RDX: 0x7ffeea0b7070 --> 0x577fc2803d000178 
RSI: 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
RDI: 0x7ffff7fb94c0 --> 0x7ffeea0b7070 --> 0x577fc2803d000178 
RBP: 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
RSP: 0x7fffffffb990 --> 0x7 
RIP: 0xa981a0 (<_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax])
R8 : 0x136 
R9 : 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
R10: 0x86f 
R11: 0x7ffff380f730 --> 0xfffda400fffda12f 
R12: 0x443a90 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa98198 <_zval_dtor_func+91>:	mov    eax,DWORD PTR [rax+0x8]
   0xa9819b <_zval_dtor_func+94>:	cdqe   
   0xa9819d <_zval_dtor_func+96>:	add    rax,rdx
=> 0xa981a0 <_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax]
   0xa981a3 <_zval_dtor_func+102>:	test   al,al
   0xa981a5 <_zval_dtor_func+104>:	je     0xa981d4 <_zval_dtor_func+151>
   0xa981a7 <_zval_dtor_func+106>:	mov    rax,QWORD PTR [rbp-0x8]
   0xa981ab <_zval_dtor_func+110>:	mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb990 --> 0x7 
0008| 0x7fffffffb998 --> 0x4ff7f863f8 
0016| 0x7fffffffb9a0 --> 0x10c4db8 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
0024| 0x7fffffffb9a8 --> 0x7ffff7fb94c0 --> 0x7ffeea0b7070 --> 0x577fc2803d000178 
0032| 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
0040| 0x7fffffffb9b8 --> 0xa830ef (<_zval_dtor+53>:	jmp    0xa830f2 <_zval_dtor+56>)
0048| 0x7fffffffb9c0 ("/usr/local/lO")
0056| 0x7fffffffb9c8 --> 0x4f6c2f6c61 ('al/lO')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a981a0 in _zval_dtor_func (zvalue=0x7ffff7fb94c0, 
    __zend_filename=0x10c4db8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36
36				CHECK_ZVAL_STRING_REL(zvalue);

gdb-peda$ bt
#0  0x0000000000a981a0 in _zval_dtor_func (zvalue=0x7ffff7fb94c0, 
    __zend_filename=0x10c4db8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36
#1  0x0000000000a830ef in _zval_dtor (zvalue=0x7ffff7fb94c0, 
    __zend_filename=0x10c4db8 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.h:35
#2  0x0000000000a831ba in i_zval_ptr_dtor (zval_ptr=0x7ffff7fb94c0, 
    __zend_filename=0x10c70a0 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute.h:79
#3  0x0000000000a84493 in _zval_ptr_dtor (zval_ptr=0x7ffff7fbad88, 
    __zend_filename=0x10c70a0 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:424
#4  0x0000000000a9870b in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fbad88)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:188
#5  0x0000000000aad5db in i_zend_hash_bucket_delete (
    ht=0x1457708 <executor_globals+360>, p=0x7ffff7fbad70)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:182
#6  0x0000000000aad6b3 in zend_hash_bucket_delete (
    ht=0x1457708 <executor_globals+360>, p=0x7ffff7fbad70)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:192
#7  0x0000000000aaf3c6 in zend_hash_graceful_reverse_destroy (
    ht=0x1457708 <executor_globals+360>)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:613
#8  0x0000000000a83c8f in shutdown_executor ()
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:244
#9  0x0000000000a9aa59 in zend_deactivate ()
    at /home/user/Desktop/php-5.6.27/Zend/zend.c:960
#10 0x00000000009fbb34 in php_request_shutdown (dummy=0x0)
    at /home/user/Desktop/php-5.6.27/main/main.c:1899
#11 0x0000000000b59806 in do_cli (argc=0x2, argv=0x145c560)
    at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1181
#12 0x0000000000b5a098 in main (argc=0x2, argv=0x145c560)
    at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1382
#13 0x00007ffff369b830 in __libc_start_main (main=0xb5987b <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#14 0x0000000000443ab9 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 05:56 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 05:56 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:05 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 21:01:28 2024 UTC