php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73378 crash in get_icu_value_internal function
Submitted: 2016-10-23 10:53 UTC Modified: 2017-10-15 21:35 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: intl (PECL)
PHP Version: 7.0.13 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-23 10:53 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
In function get_icu_value_internal:

static zend_string* get_icu_value_internal( const char* loc_name , char* tag_name, int* result , int fromParseLocale)
{
	zend_string*	tag_value	= NULL;

        ...
        ...
		if( strcmp(tag_name , LOC_SCRIPT_TAG)==0 ){
			buflen = uloc_getScript ( mod_loc_name , tag_value->val , tag_value_len , &status);
		}
		if( strcmp(tag_name , LOC_LANG_TAG )==0 ){
			buflen = uloc_getLanguage ( mod_loc_name , tag_value->val , tag_value_len , &status);  // (1) crash here
		}
		if( strcmp(tag_name , LOC_REGION_TAG)==0 ){
			buflen = uloc_getCountry ( mod_loc_name , tag_value->val , tag_value_len , &status);  // (2) crash here
		}
		if( strcmp(tag_name , LOC_VARIANT_TAG)==0 ){
			buflen = uloc_getVariant ( mod_loc_name , tag_value->val , tag_value_len , &status);  // (3) crash here
		}
		if( strcmp(tag_name , LOC_CANONICALIZE_TAG)==0 ){
			buflen = uloc_canonicalize ( mod_loc_name , tag_value->val , tag_value_len , &status);  // (4) crash here
		}

        ...
        ...
}

When passing locale string larger than 2Gb, this function may cause PHP 7 to crash at 4 points as above source code comments. Please refer to the test script and GDB output.

Test script:
---------------
    ini_set('memory_limit', -1);
    
    $str = str_repeat('a', 0x8fffffff);
    $str1 = "sl-Latn-IT-$str";
    $arr = locale_parse($str1);
?>

Expected result:
----------------
No crash.

Actual result:
--------------
gdb-peda$ r ../test/string/test.php 
Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x41 ('A')
RBX: 0x80000000 
RCX: 0x200 
RDX: 0x0 
RSI: 0x2d ('-')
RDI: 0x61 ('a')
RBP: 0x7ffebb20000b ('a' <repeats 200 times>...)
RSP: 0x7fffffffa500 --> 0xffffffffffffffff 
RIP: 0x7ffff43508f9 (mov    BYTE PTR [r12],al)
R8 : 0x0 
R9 : 0x0 
R10: 0x389 
R11: 0x7ffff4351d50 (<uloc_getVariant_55>:	push   r14)
R12: 0x80006bc64798 
R13: 0x200 
R14: 0x7fffebc14030 --> 0x7fffebc821c0 --> 0xad8472 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
R15: 0x7fffebc821c0 --> 0xad8472 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff43508f0:	call   0x7ffff436b2c0 <uprv_toupper_55>
   0x7ffff43508f5:	cmp    al,0x2d
   0x7ffff43508f7:	je     0x7ffff4350910
=> 0x7ffff43508f9:	mov    BYTE PTR [r12],al
   0x7ffff43508fd:	jmp    0x7ffff43508d0
   0x7ffff43508ff:	nop
   0x7ffff4350900:	mov    BYTE PTR [r12],0x5f
   0x7ffff4350905:	jmp    0x7ffff4350858
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa500 --> 0xffffffffffffffff 
0008| 0x7fffffffa508 --> 0x7ffe3b200000 ("sl-Latn-IT-", 'a' <repeats 189 times>...)
0016| 0x7fffffffa510 --> 0x7fffffffa664 --> 0x20000000000 
0024| 0x7fffffffa518 --> 0x7ffe3b200000 ("sl-Latn-IT-", 'a' <repeats 189 times>...)
0032| 0x7fffffffa520 --> 0x7fffffffa664 --> 0x20000000000 
0040| 0x7fffffffa528 --> 0x7fffebc64798 ('A' <repeats 200 times>...)
0048| 0x7fffffffa530 --> 0x200 
0056| 0x7fffffffa538 --> 0x7ffff4351f21 (<uloc_getVariant_55+465>:	mov    edx,eax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff43508f9 in ?? () from /usr/lib/x86_64-linux-gnu/libicuuc.so.55

gdb-peda$ bt
#0  0x00007ffff43508f9 in ?? () from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#1  0x00007ffff4351f21 in uloc_getVariant_55 ()
   from /usr/lib/x86_64-linux-gnu/libicuuc.so.55
#2  0x00000000006edd0c in get_icu_value_internal (
    loc_name=0x7ffecb400018 "sl-Latn-IT-", 'a' <repeats 189 times>..., 
    tag_name=0xf78b61 "variant", result=0x7fffffffa6cc, fromParseLocale=0x1)
    at /home/user/Desktop/php-7.0.12/ext/intl/locale/locale_methods.c:329
#3  0x00000000006ef61b in add_array_entry (
    loc_name=0x7ffecb400018 "sl-Latn-IT-", 'a' <repeats 189 times>..., 
    hash_arr=0x7fffebc14110, key_name=0xf78b61 "variant")
    at /home/user/Desktop/php-7.0.12/ext/intl/locale/locale_methods.c:1057
#4  0x00000000006ef9c8 in zif_locale_parse (execute_data=0x7fffebc14150, 
    return_value=0x7fffebc14110)
    at /home/user/Desktop/php-7.0.12/ext/intl/locale/locale_methods.c:1138
#5  0x0000000000ad8506 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586
#6  0x0000000000ad7f32 in execute_ex (ex=0x7fffebc14030)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414
#7  0x0000000000ad8043 in zend_execute (op_array=0x7fffebc81000, 
    return_value=0x0)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458
#8  0x0000000000a78cfc in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427
#9  0x00000000009e11d5 in php_execute_script (primary_file=0x7fffffffce20)
    at /home/user/Desktop/php-7.0.12/main/main.c:2494
#10 0x0000000000b412f8 in do_cli (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974
#11 0x0000000000b424c6 in main (argc=0x2, argv=0x14a6630)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344
#12 0x00007ffff38b3830 in __libc_start_main (main=0xb41cbb <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#13 0x00000000004475a9 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-04 03:13 UTC] stas@php.net
-PHP Version: 7.0.12 +PHP Version: 5.6.27
 [2016-11-04 06:01 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 06:01 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-11-11 12:46 UTC] nguyenluan dot vnn at gmail dot com
-Status: Closed +Status: Assigned
 [2016-11-11 12:46 UTC] nguyenluan dot vnn at gmail dot com
It still crashes in version 7.0.13. Please check again.
 [2016-11-11 12:47 UTC] nguyenluan dot vnn at gmail dot com
-Status: Assigned +Status: Open -PHP Version: 5.6.27 +PHP Version: 7.0.13
 [2016-11-11 12:47 UTC] nguyenluan dot vnn at gmail dot com
Open again.
 [2016-11-14 11:46 UTC] nguyenluan dot vnn at gmail dot com
-Status: Open +Status: Closed
 [2016-11-14 11:46 UTC] nguyenluan dot vnn at gmail dot com
Fixed in PHP 7.1.0 RC6. Please close.

Thanks.
 [2017-10-15 21:35 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 08:01:26 2024 UTC