PHP :: Bug #73445 :: malloc negative size parameter

Bug #73445	malloc negative size parameter
Submitted:	2016-11-02 15:54 UTC	Modified:	2017-02-13 00:58 UTC
From:	ahihibughunter at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	Zip Related
PHP Version:	5.6.28RC1	OS:	ALL
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ahihibughunter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-11-02 15:54 UTC] ahihibughunter at gmail dot com

Description:
------------
malloc function receives a negative size value in method addFromString

static ZIPARCHIVE_METHOD(addFromString)
{
	struct zip *intern;

...
        ze_obj->buffers[pos] = (char *)emalloc(buffer_len + 1);<- using with out check it value
	memcpy(ze_obj->buffers[pos], buffer, buffer_len + 1); 

	zs = zip_source_buffer(intern, ze_obj->buffers[pos], buffer_len, 0);
....
}

Test script:
---------------
<?php
ini_set('memory_limit', -1);
$v1=str_repeat("A", 0x7fffffff);

$zip = new ZipArchive;
$res = $zip->open('test.zip', ZipArchive::CREATE);
if ($res === TRUE) {
    $zip->addFromString('test.txt', $v1);
    $zip->close();
    echo 'ok';
} else {
    echo 'failed';
}
?>


Expected result:
----------------
No crash


Actual result:
--------------
gdb ~/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php
(gdb) r test.php 
Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Fatal error: Out of memory (allocated 2148007936) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c:1925 (tried to allocate 18446744071562067968 bytes) in /home/zx/zx/php/emalloc/test.php on line 8

Program received signal SIGSEGV, Segmentation fault.
0x0000000000a84ff9 in zend_mm_check_ptr (heap=0x14a9ad0, ptr=0xd573485a5a5a5a5a, silent=1, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:1384
1384		if (p->info._size != ZEND_MM_NEXT_BLOCK(p)->info._prev) {
(gdb) bt
#0  0x0000000000a84ff9 in zend_mm_check_ptr (heap=0x14a9ad0, ptr=0xd573485a5a5a5a5a, silent=1, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:1384
#1  0x0000000000a86c60 in _zend_mm_free_int (heap=0x14a9ad0, p=0xd573485a5a5a5a5a, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, 
    __zend_orig_filename=0x0, __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:2068
#2  0x0000000000a88271 in _efree (ptr=0xd573485a5a5a5a5a, __zend_filename=0x10cda18 "/home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c", __zend_lineno=1105, __zend_orig_filename=0x0, 
    __zend_orig_lineno=0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_alloc.c:2440
#3  0x0000000000990e81 in php_zip_object_free_storage (object=0x7ffff7fb7868) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/ext/zip/php_zip.c:1105
#4  0x0000000000b034ca in zend_objects_store_free_object_storage (objects=0x14751a0 <executor_globals+928>) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_objects_API.c:97
#5  0x0000000000aabc3b in shutdown_executor () at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_execute_API.c:290
#6  0x0000000000ac276d in zend_deactivate () at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend.c:960
#7  0x0000000000a23771 in php_request_shutdown (dummy=0x0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/main/main.c:1899
#8  0x0000000000b81532 in do_cli (argc=2, argv=0x147a5a0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1181
#9  0x0000000000b81dc4 in main (argc=2, argv=0x147a5a0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1382
(gdb)print p->info._size
Cannot access memory at address 0x24d9fd5a5a5a5a12

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-04 05:58 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2016-11-04 05:58 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2017-02-13 00:58 UTC] stas@php.net

-Type: Security +Type: Bug

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 22:01:27 2024 UTC