php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73527 Invalid memory access in php_filter_strip
Submitted: 2016-11-15 12:24 UTC Modified: 2020-06-04 09:47 UTC
From: ahihibughunter at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Filter related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID: None
 [2016-11-15 12:24 UTC] ahihibughunter at gmail dot com
Description:
------------
in function php_filter_strip
static void php_filter_strip(zval *value, zend_long flags)
{
.....
for (i = 0; i < Z_STRLEN_P(value); i++) {
		if ((str[i] >= 127) && (flags & FILTER_FLAG_STRIP_HIGH)) {
		} else if ((str[i] < 32) && (flags & FILTER_FLAG_STRIP_LOW)) {
		} else if ((str[i] == '`') && (flags & FILTER_FLAG_STRIP_BACKTICK)) {
		} else {
			ZSTR_VAL(buf)[c] = str[i];
			++c;
		}
	}
	/* update zval string data */
	ZSTR_VAL(buf)[c] = '\0';  <- crash here
	ZSTR_LEN(buf) = c;
}

if len of value may get very big value which leads to invalid memory access and cause php7 crash.



Test script:
---------------
<?php 
ini_set('memory_limit', -1);
$var  = str_repeat('a',0x80001000);
$a = filter_var($var, FILTER_SANITIZE_STRING, array("flags" => FILTER_FLAG_STRIP_LOW));
?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../php7new/php-src-PHP-7.0.13/sapi/cli/php
(gdb) r test.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php
....
Program received signal SIGSEGV, Segmentation fault.
0x000000000064781a in php_filter_strip (value=0x7fffed6140e0, flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:135
135		ZSTR_VAL(buf)[c] = '\0';
(gdb) bt
#0  0x000000000064781a in php_filter_strip (value=0x7fffed6140e0, flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:135
#1  0x0000000000647add in php_filter_string (value=0x7fffed6140e0, flags=33554436, option_array=0x0, charset=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:192
#2  0x00000000006449c3 in php_zval_filter (value=0x7fffed6140e0, filter=513, flags=33554436, options=0x0, charset=0x0, copy=1 '\001') at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:405
#3  0x0000000000645cc1 in php_filter_call (filtered=0x7fffed6140e0, filter=513, filter_args=0x7fffed614180, copy=1, filter_flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:662
#4  0x00000000006468ed in zif_filter_var (execute_data=0x7fffed614100, return_value=0x7fffed6140e0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:791
#5  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#6  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#7  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#8  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#9  0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#10 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#11 0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb) print c
$3 = -2147483648
(gdb) 


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:39 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:39 UTC] krakjoe@php.net
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2020-06-04 09:47 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #73527: Invalid memory access in php_filter_strip
On GitHub:  https://github.com/php/php-src/pull/5660
Patch:      https://github.com/php/php-src/pull/5660.patch
 [2020-06-04 09:47 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2020-06-04 11:41 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ceae81665cc6d8dadf2103a3f9266150b076ab2a
Log: Fix #73527: Invalid memory access in php_filter_strip
 [2020-06-04 11:41 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 15:01:28 2024 UTC