|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73540 Invalid memory access in zif_create_function
Submitted: 2016-11-16 11:12 UTC Modified: 2021-04-28 12:51 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ahihibughunter at gmail dot com Assigned: cmb (profile)
Status: Wont fix Package: Unknown/Other Function
PHP Version: 5.6.28 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
30 - 29 = ?
Subscribe to this entry?

 [2016-11-16 11:12 UTC] ahihibughunter at gmail dot com
In function zif_create_function
	eval_code[eval_code_length++] = ')';
	eval_code[eval_code_length++] = '{';

	memcpy(eval_code + eval_code_length, function_code, function_code_len);
	eval_code_length += function_code_len;

	eval_code[eval_code_length++] = '}';  <- crashed here
	eval_code[eval_code_length] = '\0';
length of eval_code increate without check it value cause php5 crash

Test script:
ini_set('memory_limit', -1);
$z  = str_repeat('a',0x7fffffff);
var_dump( uasort($array_arg, create_function('x, x',$z) ) );

Expected result:
No crash

Actual result:
$ gdb ../../../php5new/php-src-PHP-5.6.28/sapi/cli/php 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
(gdb) r test.php 
Starting program: /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
1826		eval_code[eval_code_length++] = '}';
(gdb) bt
#0  0x0000000000adff8e in zif_create_function (ht=2, return_value=0x7ffff7fb5bc0, return_value_ptr=0x7ffff7f7a238, this_ptr=0x0, return_value_used=1)
    at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_builtin_functions.c:1826
#1  0x0000000000b0bbaa in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:558
#2  0x0000000000b116d5 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:2602
#3  0x0000000000b0b212 in execute_ex (execute_data=0x7ffff7f7a2b0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:363
#4  0x0000000000b0b299 in zend_execute (op_array=0x7ffff7fb5348) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend_vm_execute.h:388
#5  0x0000000000ac3c49 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/Zend/zend.c:1341
#6  0x0000000000a24d6c in php_execute_script (primary_file=0x7fffffffc9f0) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/main/main.c:2613
#7  0x0000000000b80a61 in do_cli (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:998
#8  0x0000000000b81dc4 in main (argc=2, argv=0x147a670) at /home/zx/zx/php/php5new/php-src-PHP-5.6.28/sapi/cli/php_cli.c:1382
(gdb) print eval_code_length
$1 = -2147483619


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-16 22:01 UTC]
-Type: Security +Type: Bug
 [2016-11-16 22:01 UTC]
Not a security issue.
 [2016-11-16 22:01 UTC]
Not a security issue.
 [2021-04-28 12:51 UTC]
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2021-04-28 12:51 UTC]
create_function() is deprecated as of PHP 7.2.0, and removed as of
PHP 8.0.0, and I consider it to be highly unlikely that anybody
would try to create a function with a resulting length of SIZE_MAX
(note that eval_code_length is changed from `int` to `size_t` as
of PHP 7.0.0).
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 05 15:01:31 2024 UTC