|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-18 14:40 UTC] krakjoe@php.net
-Type: Security
+Type: Bug
[2016-11-18 14:40 UTC] krakjoe@php.net
[2016-11-19 01:01 UTC] ahihibughunter at gmail dot com
[2016-11-19 01:16 UTC] ahihibughunter at gmail dot com
[2016-11-19 15:30 UTC] rasmus@php.net
[2020-11-18 14:02 UTC] cmb@php.net
-Status: Open
+Status: Duplicate
-Assigned To:
+Assigned To: cmb
[2020-11-18 14:02 UTC] cmb@php.net
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 12:00:02 2025 UTC |
Description: ------------ in function php_stream_filter_create, filtername has very large value and cause crash in zend_hash_str_find_ptr. PHPAPI php_stream_filter *php_stream_filter_create(const char *filtername, zval *filterparams, int persistent) { ...... n = (int)strlen(filtername); <- filtername has very large value if (NULL != (factory = zend_hash_str_find_ptr(filter_hash, filtername, n))) { <- crash here filter = factory->create_filter(filtername, filterparams, persistent); .... } Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat('a', 0x8fffff00); stream_filter_register($str,$str); $fd = fopen('php://memory','w'); $filter = stream_filter_append($fd, $str); ?> Expected result: ---------------- No crash Actual result: -------------- $ gdb /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1 .... Program received signal SIGSEGV, Segmentation fault. 0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330 330 hash = ((hash << 5) + hash) + *str++; (gdb) bt #0 0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330 #1 0x0000000000a1fb89 in zend_hash_str_find (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.c:1998 #2 0x0000000000995b73 in zend_hash_str_find_ptr (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.h:697 #3 0x0000000000996623 in php_stream_filter_create (filtername=0x7fff5c800018 'a' <repeats 200 times>..., filterparams=0x0, persistent=0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/streams/filter.c:260 #4 0x0000000000929e04 in apply_filter_to_stream (append=1, execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1157 #5 0x0000000000929ff4 in zif_stream_filter_append (execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1212 #6 0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586 #7 0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414 #8 0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458 #9 0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427 #10 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcab0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494 #11 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974 #12 0x0000000000ad18aa in main (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344