|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-04-23 03:26 UTC] stas@php.net
-Type: Security
+Type: Bug
[2018-04-23 03:26 UTC] stas@php.net
[2018-04-23 04:30 UTC] stas@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: stas
[2018-04-23 04:30 UTC] stas@php.net
[2018-04-23 04:30 UTC] stas@php.net
-PHP Version: 7.2Git-2018-03-27 (Git)
+PHP Version: 7.1.17
[2018-04-24 00:43 UTC] jmenon at isi dot edu
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Apr 27 05:01:29 2024 UTC |
Description: ------------ There exists a signed comparison happening in the phar_check_str() @ phar.c : 1857 which can be bypassed with a negative value and could lead to a buffer-over-flow on the stack with user controlled input. This is not an exploitable bug due to a comparison happening in the phar_split_fname() @ phar.c : 2209 which sign extends the int variable to size_t. We do not believe that this is the intended consequence of the above mentioned comparison and therefore, it might be possible to exploit this vulnerability in a situation where PHP (32 bit) allows generation of strings of size larger than 2^31 bytes. We had reported this bug via email, but did not receive any response after 5 days which is why we chose to report it here as well. Test script: --------------- phar_check_str(): 1854 : char test[51]; 1857 : if ( ext_len >= 50) return FAILURE; 1863 : memcpy(test, ext_str - 1, ext_len + 1); ... phar_split_fname(): 2209 : if (CHECK_NULL_PATH(filename, filename_len)) return FAILURE; ... zend_API.h #define CHECK_NULL_PATH(p, l) (strlen(p) != (size_t)(l))