php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73528 Crash in zif_mb_send_mail
Submitted: 2016-11-15 14:24 UTC Modified: 2017-07-22 15:36 UTC
From: ahihibughunter at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.0.13 OS: ALL
Private report: No CVE-ID: None
 [2016-11-15 14:24 UTC] ahihibughunter at gmail dot com
Description:
------------
In function mb_send_mail
PHP_FUNCTION(mb_send_mail)
{
.....

if (to != NULL) {
		if (to_len > 0) {
			to_r = estrndup(to, to_len);
			for (; to_len; to_len--) {
				if (!isspace((unsigned char) to_r[to_len - 1])) {
					break;
				}
				to_r[to_len - 1] = '\0';
			}
			for (i = 0; to_r[i]; i++) {    <- crash here
			if (iscntrl((unsigned char) to_r[i])) {
....
}
when to_len can have very big value which leads to invalid memory access on to_r[i] ( i become negative number) and cause php7 crash.

Test script:
---------------
<?php
ini_set('memory_limit', -1);

$to  = str_repeat('a',0x80001000);
$headers = 'foo';
mb_send_mail($to, mb_language(), "test", $headers);
?>

Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../php7new/php-src-PHP-7.0.13/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
(gdb) r test.php 
Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000761bc2 in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4364
4364				for (i = 0; to_r[i]; i++) {
(gdb) bt
#0  0x0000000000761bc2 in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4364
#1  0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586
#2  0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414
#3  0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458
#4  0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427
#5  0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494
#6  0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974
#7  0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344
(gdb) print i
$1 = -2147483648
(gdb) print to_len
$2 = 2147487744
(gdb) 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:36 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:36 UTC] krakjoe@php.net
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2017-07-23 09:56 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bd63c0f5b3efd1689a231fccebe74e798e1bbd88
Log: Fix bug #73528
 [2017-07-23 09:56 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 22:01:26 2018 UTC