|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73527 Invalid memory access in php_filter_strip
Submitted: 2016-11-15 12:24 UTC Modified: 2020-06-04 09:47 UTC
From: ahihibughunter at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Filter related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: ahihibughunter at gmail dot com
New email:
PHP Version: OS:


 [2016-11-15 12:24 UTC] ahihibughunter at gmail dot com
in function php_filter_strip
static void php_filter_strip(zval *value, zend_long flags)
for (i = 0; i < Z_STRLEN_P(value); i++) {
		if ((str[i] >= 127) && (flags & FILTER_FLAG_STRIP_HIGH)) {
		} else if ((str[i] < 32) && (flags & FILTER_FLAG_STRIP_LOW)) {
		} else if ((str[i] == '`') && (flags & FILTER_FLAG_STRIP_BACKTICK)) {
		} else {
			ZSTR_VAL(buf)[c] = str[i];
	/* update zval string data */
	ZSTR_VAL(buf)[c] = '\0';  <- crash here
	ZSTR_LEN(buf) = c;

if len of value may get very big value which leads to invalid memory access and cause php7 crash.

Test script:
ini_set('memory_limit', -1);
$var  = str_repeat('a',0x80001000);
$a = filter_var($var, FILTER_SANITIZE_STRING, array("flags" => FILTER_FLAG_STRIP_LOW));

Expected result:
No crash

Actual result:
$ gdb ../../php7new/php-src-PHP-7.0.13/sapi/cli/php
(gdb) r test.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php
Program received signal SIGSEGV, Segmentation fault.
0x000000000064781a in php_filter_strip (value=0x7fffed6140e0, flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:135
135		ZSTR_VAL(buf)[c] = '\0';
(gdb) bt
#0  0x000000000064781a in php_filter_strip (value=0x7fffed6140e0, flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:135
#1  0x0000000000647add in php_filter_string (value=0x7fffed6140e0, flags=33554436, option_array=0x0, charset=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/sanitizing_filters.c:192
#2  0x00000000006449c3 in php_zval_filter (value=0x7fffed6140e0, filter=513, flags=33554436, options=0x0, charset=0x0, copy=1 '\001') at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:405
#3  0x0000000000645cc1 in php_filter_call (filtered=0x7fffed6140e0, filter=513, filter_args=0x7fffed614180, copy=1, filter_flags=33554436) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:662
#4  0x00000000006468ed in zif_filter_var (execute_data=0x7fffed614100, return_value=0x7fffed6140e0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/filter/filter.c:791
#5  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#6  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#7  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#8  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#9  0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#10 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#11 0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb) print c
$3 = -2147483648


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:39 UTC]
-Type: Security +Type: Bug
 [2016-11-18 14:39 UTC]
This issue does not meet the criteria to be considered a security issue.

Please review:
 [2020-06-04 09:47 UTC]
The following pull request has been associated:

Patch Name: Fix #73527: Invalid memory access in php_filter_strip
On GitHub:
 [2020-06-04 09:47 UTC]
-Assigned To: +Assigned To: cmb
 [2020-06-04 11:41 UTC]
Automatic comment on behalf of
Log: Fix #73527: Invalid memory access in php_filter_strip
 [2020-06-04 11:41 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 15:01:32 2024 UTC