|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-11-18 14:36 UTC] krakjoe@php.net
-Type: Security
+Type: Bug
[2016-11-18 14:36 UTC] krakjoe@php.net
[2017-07-23 09:56 UTC] nikic@php.net
[2017-07-23 09:56 UTC] nikic@php.net
-Status: Open
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Tue Apr 16 04:01:27 2024 UTC |
Description: ------------ In function mb_send_mail PHP_FUNCTION(mb_send_mail) { ..... if (to != NULL) { if (to_len > 0) { to_r = estrndup(to, to_len); for (; to_len; to_len--) { if (!isspace((unsigned char) to_r[to_len - 1])) { break; } to_r[to_len - 1] = '\0'; } for (i = 0; to_r[i]; i++) { <- crash here if (iscntrl((unsigned char) to_r[i])) { .... } when to_len can have very big value which leads to invalid memory access on to_r[i] ( i become negative number) and cause php7 crash. Test script: --------------- <?php ini_set('memory_limit', -1); $to = str_repeat('a',0x80001000); $headers = 'foo'; mb_send_mail($to, mb_language(), "test", $headers); ?> Expected result: ---------------- No crash Actual result: -------------- $ gdb ../../php7new/php-src-PHP-7.0.13/sapi/cli/php GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1 (gdb) r test.php Starting program: /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php test.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x0000000000761bc2 in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4364 4364 for (i = 0; to_r[i]; i++) { (gdb) bt #0 0x0000000000761bc2 in zif_mb_send_mail (execute_data=0x7fffed614110, return_value=0x7fffed614100) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/ext/mbstring/mbstring.c:4364 #1 0x0000000000a67659 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:586 #2 0x0000000000a67085 in execute_ex (ex=0x7fffed614030) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:414 #3 0x0000000000a67196 in zend_execute (op_array=0x7fffed684000, return_value=0x0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend_vm_execute.h:458 #4 0x0000000000a0812d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/Zend/zend.c:1427 #5 0x00000000009701fc in php_execute_script (primary_file=0x7fffffffcaa0) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/main/main.c:2494 #6 0x0000000000ad06dc in do_cli (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:974 #7 0x0000000000ad18aa in main (argc=2, argv=0x141c670) at /home/zx/zx/php/php7new/php-src-PHP-7.0.13/sapi/cli/php_cli.c:1344 (gdb) print i $1 = -2147483648 (gdb) print to_len $2 = 2147487744 (gdb)