php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73368 iconv() function missing string length check
Submitted: 2016-10-21 16:01 UTC Modified: 2017-02-13 01:04 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: ICONV related
PHP Version: 5.6.27 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-21 16:01 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
Function iconv() could produce string larger than 2Gb. Please refer to the test script and GDB output.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    
    $str = '+'.str_repeat('IKwgrCCsIKwgrCCs', 0x71c71c8).'-';
    $str1 = iconv("UTF-7", "UTF-8",$str);
    
    var_dump(strlen($str));
    var_dump(strlen($str1));
?>

Expected result:
----------------
No crash. No string returns.

Actual result:
--------------
gdb-peda$ r ../test/string/test_collator_sort.php 
Starting program: /home/user/Desktop/php-5.6.27/sapi/cli/php ../test/string/test_collator_sort.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
int(1908874370)
int(-2147483632)  // string larger than 2Gb

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffda42e2080 
RBX: 0x0 
RCX: 0x10c8998 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
RDX: 0x7ffe242e2070 --> 0x82e2ac82e2ac82e2 
RSI: 0x10c8998 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
RDI: 0x7ffff7fb8ff0 --> 0x7ffe242e2070 --> 0x82e2ac82e2ac82e2 
RBP: 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
RSP: 0x7fffffffb990 --> 0x7 
RIP: 0xa9b8be (<_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax])
R8 : 0x136 
R9 : 0x10c8998 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
R10: 0x86f 
R11: 0x7ffff3603730 --> 0xfffda400fffda12f 
R12: 0x444220 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10203 (CARRY parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0xa9b8b6 <_zval_dtor_func+91>:	mov    eax,DWORD PTR [rax+0x8]
   0xa9b8b9 <_zval_dtor_func+94>:	cdqe   
   0xa9b8bb <_zval_dtor_func+96>:	add    rax,rdx
=> 0xa9b8be <_zval_dtor_func+99>:	movzx  eax,BYTE PTR [rax]
   0xa9b8c1 <_zval_dtor_func+102>:	test   al,al
   0xa9b8c3 <_zval_dtor_func+104>:	je     0xa9b8f2 <_zval_dtor_func+151>
   0xa9b8c5 <_zval_dtor_func+106>:	mov    rax,QWORD PTR [rbp-0x8]
   0xa9b8c9 <_zval_dtor_func+110>:	mov    rax,QWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb990 --> 0x7 
0008| 0x7fffffffb998 --> 0x4ff7f843f8 
0016| 0x7fffffffb9a0 --> 0x10c8998 ("/home/user/Desktop/php-5.6.27/Zend/zend_execute.h")
0024| 0x7fffffffb9a8 --> 0x7ffff7fb8ff0 --> 0x7ffe242e2070 --> 0x82e2ac82e2ac82e2 
0032| 0x7fffffffb9b0 --> 0x7fffffffb9e0 --> 0x7fffffffba10 --> 0x7fffffffba40 --> 0x7fffffffba60 --> 0x7fffffffba80 (--> ...)
0040| 0x7fffffffb9b8 --> 0xa8680d (<_zval_dtor+53>:	jmp    0xa86810 <_zval_dtor+56>)
0048| 0x7fffffffb9c0 ("/usr/local/lO")
0056| 0x7fffffffb9c8 --> 0x4f6c2f6c61 ('al/lO')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000a9b8be in _zval_dtor_func (zvalue=0x7ffff7fb8ff0, 
    __zend_filename=0x10c8998 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36
36				CHECK_ZVAL_STRING_REL(zvalue);

gdb-peda$ bt
#0  0x0000000000a9b8be in _zval_dtor_func (zvalue=0x7ffff7fb8ff0, 
    __zend_filename=0x10c8998 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:36
#1  0x0000000000a8680d in _zval_dtor (zvalue=0x7ffff7fb8ff0, 
    __zend_filename=0x10c8998 "/home/user/Desktop/php-5.6.27/Zend/zend_execute.h", __zend_lineno=0x4f)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.h:35
#2  0x0000000000a868d8 in i_zval_ptr_dtor (zval_ptr=0x7ffff7fb8ff0, 
    __zend_filename=0x10cac80 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute.h:79
#3  0x0000000000a87bb1 in _zval_ptr_dtor (zval_ptr=0x7ffff7fb9080, 
    __zend_filename=0x10cac80 "/home/user/Desktop/php-5.6.27/Zend/zend_variables.c", __zend_lineno=0xbc)
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:424
#4  0x0000000000a9be29 in _zval_ptr_dtor_wrapper (zval_ptr=0x7ffff7fb9080)
    at /home/user/Desktop/php-5.6.27/Zend/zend_variables.c:188
#5  0x0000000000ab0cf9 in i_zend_hash_bucket_delete (
    ht=0x145cb28 <executor_globals+360>, p=0x7ffff7fb9068)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:182
#6  0x0000000000ab0dd1 in zend_hash_bucket_delete (
    ht=0x145cb28 <executor_globals+360>, p=0x7ffff7fb9068)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:192
#7  0x0000000000ab2ae4 in zend_hash_graceful_reverse_destroy (
    ht=0x145cb28 <executor_globals+360>)
    at /home/user/Desktop/php-5.6.27/Zend/zend_hash.c:613
#8  0x0000000000a873ad in shutdown_executor ()
    at /home/user/Desktop/php-5.6.27/Zend/zend_execute_API.c:244
#9  0x0000000000a9e177 in zend_deactivate ()
    at /home/user/Desktop/php-5.6.27/Zend/zend.c:960
#10 0x00000000009ff252 in php_request_shutdown (dummy=0x0)
    at /home/user/Desktop/php-5.6.27/main/main.c:1899
#11 0x0000000000b5cf24 in do_cli (argc=0x2, argv=0x1461630)
    at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1181
#12 0x0000000000b5d7b6 in main (argc=0x2, argv=0x1461630)
    at /home/user/Desktop/php-5.6.27/sapi/cli/php_cli.c:1382
#13 0x00007ffff348f830 in __libc_start_main (main=0xb5cf99 <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#14 0x0000000000444249 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 02:55 UTC] stas@php.net
-Summary: crash in iconv() function +Summary: iconv() function missing string length check -Status: Open +Status: Feedback
 [2016-11-04 05:59 UTC] stas@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 05:59 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2017-02-13 01:04 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 09:01:30 2024 UTC