|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-04 05:58 UTC] stas@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: stas
[2016-11-04 05:58 UTC] stas@php.net
[2017-02-13 00:58 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Jan 13 22:01:29 2025 UTC |
Description: ------------ malloc function receives a negative size value in method addFromString static ZIPARCHIVE_METHOD(addFromString) { struct zip *intern; ... ze_obj->buffers[pos] = (char *)emalloc(buffer_len + 1);<- using with out check it value memcpy(ze_obj->buffers[pos], buffer, buffer_len + 1); zs = zip_source_buffer(intern, ze_obj->buffers[pos], buffer_len, 0); .... } Test script: --------------- <?php ini_set('memory_limit', -1); $v1=str_repeat("A", 0x7fffffff); $zip = new ZipArchive; $res = $zip->open('test.zip', ZipArchive::CREATE); if ($res === TRUE) { $zip->addFromString('test.txt', $v1); $zip->close(); echo 'ok'; } else { echo 'failed'; } ?> Expected result: ---------------- No crash Actual result: -------------- gdb ~/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php (gdb) r test.php Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php test.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Fatal error: Out of memory (allocated 2148007936) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c:1925 (tried to allocate 18446744071562067968 bytes) in /home/zx/zx/php/emalloc/test.php on line 8 Program received signal SIGSEGV, Segmentation fault. 0x0000000000a84ff9 in zend_mm_check_ptr (heap=0x14a9ad0, ptr=0xd573485a5a5a5a5a, silent=1, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:1384 1384 if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) { (gdb) bt #0 0x0000000000a84ff9 in zend_mm_check_ptr (heap=0x14a9ad0, ptr=0xd573485a5a5a5a5a, silent=1, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:1384 #1 0x0000000000a86c60 in _zend_mm_free_int (heap=0x14a9ad0, p=0xd573485a5a5a5a5a, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:2068 #2 0x0000000000a88271 in _efree (ptr=0xd573485a5a5a5a5a, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:2440 #3 0x0000000000990e81 in php_zip_object_free_storage (object=0x7ffff7fb7868) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c:1105 #4 0x0000000000b034ca in zend_objects_store_free_object_storage (objects=0x14751a0 <executor_globals+928>) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_objects_API.c:97 #5 0x0000000000aabc3b in shutdown_executor () at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_execute_API.c:290 #6 0x0000000000ac276d in zend_deactivate () at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend.c:960 #7 0x0000000000a23771 in php_request_shutdown (dummy=0x0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/main/main.c:1899 #8 0x0000000000b81532 in do_cli (argc=2, argv=0x147a5a0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1181 #9 0x0000000000b81dc4 in main (argc=2, argv=0x147a5a0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1382 (gdb)print p->info._size Cannot access memory at address 0x24d9fd5a5a5a5a12