|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-18 14:39 UTC] krakjoe@php.net
-Type: Security
+Type: Bug
[2016-11-18 14:39 UTC] krakjoe@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2020 The PHP GroupAll rights reserved. |
Last updated: Mon Feb 24 00:01:25 2020 UTC |
Description: ------------ in function php_filter_strip static void php_filter_strip(zval *value, zend_long flags) { ..... for (i = 0; i < Z_STRLEN_P(value); i++) { if ((str[i] >= 127) && (flags & FILTER_FLAG_STRIP_HIGH)) { } else if ((str[i] < 32) && (flags & FILTER_FLAG_STRIP_LOW)) { } else if ((str[i] == '`') && (flags & FILTER_FLAG_STRIP_BACKTICK)) { } else { ZSTR_VAL(buf)[c] = str[i]; ++c; } } /* update zval string data */ ZSTR_VAL(buf)[c] = '\0'; <- crash here ZSTR_LEN(buf) = c; } if len of value may get very big value which leads to invalid memory access and cause php7 crash. Test script: --------------- <?php ini_set('memory_limit', -1); $var = str_repeat('a',0x80001000); $a = filter_var($var, FILTER_SANITIZE_STRING, array("flags" => FILTER_FLAG_STRIP_LOW)); ?> Expected result: ---------------- No crash Actual result: -------------- $ gdb ../../php7new/php-src-PHP-7.0.13/sapi/cli/php (gdb) r test.php Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php .... Program received signal SIGSEGV, Segmentation fault. 0x000000000064781a in php_filter_strip (value=0x7fffed6140e0, flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:135 135 ZSTR_VAL(buf)[c] = '\0'; (gdb) bt #0 0x000000000064781a in php_filter_strip (value=0x7fffed6140e0, flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:135 #1 0x0000000000647add in php_filter_string (value=0x7fffed6140e0, flags=33554436, option_array=0x0, charset=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:192 #2 0x00000000006449c3 in php_zval_filter (value=0x7fffed6140e0, filter=513, flags=33554436, options=0x0, charset=0x0, copy=1 '\001') at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:405 #3 0x0000000000645cc1 in php_filter_call (filtered=0x7fffed6140e0, filter=513, filter_args=0x7fffed614180, copy=1, filter_flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:662 #4 0x00000000006468ed in zif_filter_var (execute_data=0x7fffed614100, return_value=0x7fffed6140e0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:791 #5 0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586 #6 0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414 #7 0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458 #8 0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427 #9 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494 #10 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974 #11 0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344 (gdb) print c $3 = -2147483648 (gdb)