php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73496 Invalid memory access in zend_inline_hash_func
Submitted: 2016-11-11 08:43 UTC Modified: 2020-11-18 14:02 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: ahihibughunter at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Filter related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:

 

 [2016-11-11 08:43 UTC] ahihibughunter at gmail dot com
Description:
------------
in function php_stream_filter_create, filtername has very large value and cause crash in zend_hash_str_find_ptr.

PHPAPI php_stream_filter *php_stream_filter_create(const char *filtername, zval *filterparams, int persistent)
{
	......

	n = (int)strlen(filtername);     <-       filtername has very large value

	if (NULL != (factory = zend_hash_str_find_ptr(filter_hash, filtername, n))) {   <- crash here  
		filter = factory->create_filter(filtername, filterparams, persistent);
    ....
}

Test script:
---------------
<?php
ini_set('memory_limit', -1);
$str = str_repeat('a', 0x8fffff00);
stream_filter_register($str,$str);
$fd = fopen('php://memory','w');
$filter = stream_filter_append($fd, $str);
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
....
Program received signal SIGSEGV, Segmentation fault.
0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330
330			hash = ((hash << 5) + hash) + *str++;
(gdb) bt
#0  0x0000000000a199ac in zend_inline_hash_func (str=0x7fffec800001 <error: Cannot access memory at address 0x7fffec800001>, len=18446744069414584088)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_string.h:330
#1  0x0000000000a1fb89 in zend_hash_str_find (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.c:1998
#2  0x0000000000995b73 in zend_hash_str_find_ptr (ht=0x7fffed602840, str=0x7fff5c800018 'a' <repeats 200 times>..., len=18446744071830503168) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_hash.h:697
#3  0x0000000000996623 in php_stream_filter_create (filtername=0x7fff5c800018 'a' <repeats 200 times>..., filterparams=0x0, persistent=0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/streams/filter.c:260
#4  0x0000000000929e04 in apply_filter_to_stream (append=1, execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1157
#5  0x0000000000929ff4 in zif_stream_filter_append (execute_data=0x7fffed614140, return_value=0x7fffed614120) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/standard/streamsfuncs.c:1212
#6  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#7  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#8  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#9  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#10 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcab0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#11 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#12 0x0000000000ad18aa in main (argc=2, argv=0x141c5a0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:40 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:40 UTC] krakjoe@php.net
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2016-11-19 01:01 UTC] ahihibughunter at gmail dot com
Hi krakjoe, be fair pls, u change the rules before i report this, or at least give me bounty for this. Thanks.
 [2016-11-19 01:16 UTC] ahihibughunter at gmail dot com
I mean after. Thanks
 [2016-11-19 15:30 UTC] rasmus@php.net
We don't have any bug bounties.
 [2020-11-18 14:02 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2020-11-18 14:02 UTC] cmb@php.net
This is actually a duplicate of bug #72743.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 05 15:01:31 2024 UTC