PHP :: Bug #73540 :: Invalid memory access in zif_create

Bug #73540

Invalid memory access in zif_create_function

Submitted:

2016-11-16 11:12 UTC

Modified:

2021-04-28 12:51 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

ahihibughunter at gmail dot com

Assigned:

cmb (profile)

Status:

Wont fix

Package:

Unknown/Other Function

PHP Version:

5.6.28

OS:

ALL

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!

Your email address: MUST BE VALID
Solve the problem: 37 - 27 = ?
Subscribe to this entry?

[2016-11-16 11:12 UTC] ahihibughunter at gmail dot com

Description:
------------
In function zif_create_function
ZEND_FUNCTION(create_function)
{
....
	eval_code[eval_code_length++] = ')';
	eval_code[eval_code_length++] = '{';

	memcpy(eval_code + eval_code_length, function_code, function_code_len);
	eval_code_length += function_code_len;

	eval_code[eval_code_length++] = '}';  <- crashed here
	eval_code[eval_code_length] = '\0';
.....
}
length of eval_code increate without check it value cause php5 crash



Test script:
---------------
<?php
ini_set('memory_limit', -1);
$z  = str_repeat('a',0x7fffffff);
var_dump( uasort($array_arg, create_function('x, x',$z) ) );
?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb ../../../php5new/php-src-PHP-5.6.28/sapi/cli/php 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
.................
(gdb) r test.php 
Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
1826		eval_code[eval_code_length++] = '}';
(gdb) bt
#0  0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
#1  0x0000000000b0bbaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:558
#2  0x0000000000b116d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:2602
#3  0x0000000000b0b212 in execute_ex (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:363
#4  0x0000000000b0b299 in zend_execute (op_array=0x7ffff7fb5348) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:388
#5  0x0000000000ac3c49 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend.c:1341
#6  0x0000000000a24d6c in php_execute_script (primary_file=0x7fffffffc9f0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/main/main.c:2613
#7  0x0000000000b80a61 in do_cli (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:998
#8  0x0000000000b81dc4 in main (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1382
(gdb) print eval_code_length
$1 = -2147483619
(gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-11-16 22:01 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-11-16 22:01 UTC] stas@php.net

Not a security issue.

[2016-11-16 22:01 UTC] stas@php.net

Not a security issue.

[2021-04-28 12:51 UTC] cmb@php.net

-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb

[2021-04-28 12:51 UTC] cmb@php.net

create_function() is deprecated as of PHP 7.2.0, and removed as of
PHP 8.0.0, and I consider it to be highly unlikely that anybody
would try to create a function with a resulting length of SIZE_MAX
(note that eval_code_length is changed from `int` to `size_t` as
of PHP 7.0.0).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 21:01:30 2024 UTC