PHP :: Bug #73522 :: interger overflow in mbfl_memory_device

Bug #73522	interger overflow in mbfl_memory_device_strncat
Submitted:	2016-11-15 08:09 UTC	Modified:	2017-07-23 10:09 UTC
From:	ahihibughunter at gmail dot com	Assigned:	nikic (profile)
Status:	Closed	Package:	mbstring related
PHP Version:	7.0.13	OS:	ALL
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2016-11-15 08:09 UTC] ahihibughunter at gmail dot com

Description:
------------
in function mbfl_memory_device_strncat
mbfl_memory_device_strncat(mbfl_memory_device *device, const char *psrc, int len)
{
	unsigned char *w;
......
        w = &device->buffer[device->pos];
	device->pos += len;
	while (len > 0) {
		*w++ = *psrc++; <- crash here 
		len--;
	}

	return len;
}
device->pos may have negative value cause php7 crash.

Test script:
---------------
<?php
ini_set('memory_limit', -1);
$to = 'zx@zxisreal.com';
$headers = str_repeat('a', 0x80001000);
mb_send_mail($to, mb_language(), "test", $headers);
?>

Expected result:
----------------
No crash

Actual result:
--------------
$gdb ../php7new/php-src-PHP-7.0.13/sapi/cli/php
(gdb) r crash.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000756a66 in mbfl_memory_device_strncat (device=0x7fffffffa350, psrc=0x100f642 "IME-Version: 1.0", len=17)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:268
268			*w++ = *psrc++;
(gdb) print w
$1 = (unsigned char *) 0xffffffff80001001 <error: Cannot access memory at address 0xffffffff80001001>
(gdb) bt
#0  0x0000000000756a66 in mbfl_memory_device_strncat (device=0x7fffffffa350, psrc=0x100f642 "IME-Version: 1.0", len=17)
    at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c:268
#1  0x0000000000761f5f in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4448
#2  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#3  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#4  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#5  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#6  0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcab0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#7  0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#8  0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-18 14:40 UTC] krakjoe@php.net

-Type: Security +Type: Bug

[2016-11-18 14:40 UTC] krakjoe@php.net

This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security

[2017-07-23 10:09 UTC] nikic@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic

[2017-07-23 10:09 UTC] nikic@php.net

This is fixed in master.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed May 01 15:01:30 2024 UTC