php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73559 output_add_rewrite_var null dereference
Submitted: 2016-11-18 03:18 UTC Modified: 2023-10-14 16:40 UTC
From: fernando at null-life dot com Assigned: bukka (profile)
Status: Not a bug Package: Output Control
PHP Version: 7.0.13 OS: Windows
Private report: No CVE-ID: None
 [2016-11-18 03:18 UTC] fernando at null-life dot com
Description:
------------
if the supplied value parameter is too big, output_add_rewrite_var will cause an exception with a null dereference.

Debugging output comes from an older PHP 7.0.10 release but I've checked it also affects current 7.0.13

static void php_url_scanner_output_handler(char *output, size_t output_len, char **handled_output, size_t *handled_output_len, int mode)
{
	size_t len;

-->	if (ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) != 0) {
		*handled_output = url_adapt_ext(output, output_len, &len, (zend_bool) (mode & (PHP_OUTPUT_HANDLER_END | PHP_OUTPUT_HANDLER_CONT | PHP_OUTPUT_HANDLER_FLUSH | PHP_OUTPUT_HANDLER_FINAL) ? 1 : 0));
		if (sizeof(uint) < sizeof(size_t)) {
			if (len > UINT_MAX)
				len = UINT_MAX;
		}
		*handled_output_len = len;
	} else if (ZSTR_LEN(BG(url_adapt_state_ex).url_app.s) == 0) {
		url_adapt_state_ex_t *ctx = &BG(url_adapt_state_ex);
		if (ctx->buf.s && ZSTR_LEN(ctx->buf.s)) {
			smart_str_append(&ctx->result, ctx->buf.s);
			smart_str_appendl(&ctx->result, output, output_len);

			*handled_output = estrndup(ZSTR_VAL(ctx->result.s), ZSTR_LEN(ctx->result.s));
			*handled_output_len = ZSTR_LEN(ctx->buf.s) + output_len;

			smart_str_free(&ctx->buf);
			smart_str_free(&ctx->result);
		} else {
			*handled_output = estrndup(output, *handled_output_len = output_len);
		}
	} else {
		*handled_output = NULL;
	}
}



Test script:
---------------
<?php

ini_set('memory_limit', -1);

$v1="test";
$v2=str_repeat("a", 192000000);
output_add_rewrite_var($v1,$v2);



Expected result:
----------------
No crash

Actual result:
--------------
(910.1a78): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

0:000:x86> r
eax=00000000 ebx=00000023 ecx=50a36dd0 edx=04000000 esi=0928f2a0 edi=50a36dd0
eip=50a36dd6 esp=0928f254 ebp=0928f32c iopl=0         nv up ei pl zr na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010247
php7!php_url_scanner_output_handler+0x6:
50a36dd6 83780c00        cmp     dword ptr [eax+0Ch],0 ds:002b:0000000c=????????

HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xc
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:50a36dd6 cmp dword ptr [eax+0ch],0

Basic Block:
    50a36dd6 cmp dword ptr [eax+0ch],0
       Tainted Input operands: 'eax'
    50a36dda je php7!php_url_scanner_output_handler+0x3e (50a36e0e)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x4c62c173.0xc2bad5bd

 Hash Usage : Stack Trace:
Major+Minor : php7!php_url_scanner_output_handler+0x6
Major+Minor : php7!php_output_handler_compat_func+0x4e
Major+Minor : php7!php_output_end_all+0x314
Major+Minor : php7!php_request_shutdown+0x101
Major+Minor : php!do_cli+0xdd9
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_773e0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_773e0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x0000000050a36dd6
Source File: c:\php-sdk\php70\vc14\x86\php-7.0.10rc1\ext\standard\url_scanner_ex.re
Source Line: 469


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-18 14:39 UTC] krakjoe@php.net
-Type: Security +Type: Bug
 [2016-11-18 14:39 UTC] krakjoe@php.net
This issue does not meet the criteria to be considered a security issue.

Please review: https://wiki.php.net/security
 [2016-11-20 16:59 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-11-20 16:59 UTC] ab@php.net
Thanks for the report. I was checking the supplied snippet, but am unable to reproduce the crash with the latest dev state, but as well with 7.0.5, 32 and 64 bit, with and without USE_ZEND_ALLOC. What do I miss?

Thanks.
 [2016-11-20 22:41 UTC] fernando at null-life dot com
-Status: Feedback +Status: Open
 [2016-11-20 22:41 UTC] fernando at null-life dot com
I'm not using USE_ZEND_ALLOC, Can you please try like this?  
I just noticed that if I remove any of these extensions the exception will not occur.

windbg -hd -xd gp -xd bpe -xd wob -o -G -c "r" C:\tools\php7013\php.exe -n -dextension=ext\php_odbc.dll -dextension=ext\php_imap.dll -dextension=ext\php_intl.dll out.php
 [2016-11-21 15:25 UTC] ab@php.net
Nope, still no crash :( Please see https://gist.github.com/anonymous/70a260010fe1b49af2dac9433c93241e . It also shouldn't matter, which debugger, a crash should invoke watson to pickup in a debugger anyway.

Thanks.
 [2016-12-26 19:07 UTC] fernando at null-life dot com
I can't reproduce this on my work machine (4Gb RAM / Win 8.1) but it worked on my home desktop (12 GB / Win 10), maybe something related to the RAM/allocation prevents the crash from happening? 

I can try again later on a different machine with 32 GB RAM / Win10
 [2023-10-14 16:40 UTC] bukka@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: bukka
 [2023-10-14 16:40 UTC] bukka@php.net
I'm going to close this as this is not reproducible and no further feedback provided. If you still see an issue, please create a new GitHub issue with more feedback. This wouldn't be a security issue even if reproducible so please create normal public issue.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 02:01:33 2024 UTC