php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76155 Integer overflow
Submitted: 2018-03-27 23:11 UTC Modified: 2018-04-24 00:43 UTC
From: jmenon at isi dot edu Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.17 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jmenon at isi dot edu
New email:
PHP Version: OS:

 

 [2018-03-27 23:11 UTC] jmenon at isi dot edu 
Description:
------------
There exists a signed comparison happening in the phar_check_str() @ phar.c : 1857 which can be bypassed with a negative value and could lead to a buffer-over-flow on the stack with user controlled input.

This is not an exploitable bug due to a comparison happening in the phar_split_fname() @ phar.c : 2209 which sign extends the int variable to size_t.

We do not believe that this is the intended consequence of the above mentioned comparison and therefore, it might be possible to exploit this vulnerability in a situation where PHP (32 bit) allows generation of strings of size larger than 2^31 bytes.

We had reported this bug via email, but did not receive any response after 5 days which is why we chose to report it here as well.

Test script:
---------------
phar_check_str():

1854 : char test[51];

1857 : if ( ext_len >= 50)
               return FAILURE;

1863 : memcpy(test, ext_str - 1, ext_len + 1);

...
phar_split_fname():

2209 : if (CHECK_NULL_PATH(filename, filename_len)) 
           return FAILURE;
...
zend_API.h

#define CHECK_NULL_PATH(p, l) (strlen(p) != (size_t)(l))

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-23 03:26 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-04-23 03:26 UTC] stas@php.net 
Doesn't seem to have any security implications, but probably worth fixing anyway since it's not nice to convert size_t to int and then forget it can be negative.
 [2018-04-23 04:30 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2018-04-23 04:30 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2018-04-23 04:30 UTC] stas@php.net
-PHP Version: 7.2Git-2018-03-27 (Git) +PHP Version: 7.1.17
 [2018-04-24 00:43 UTC] jmenon at isi dot edu 
For clarity, this bug has security implications: the integer overflow,
if triggered, leads to a buffer overflow which can be leveraged by an
attacker to execute arbitrary code.

It is not clear whether it is possible to trigger the integer overflow
from user input. As I mentioned before, it might be possible to exploit
this vulnerability in a situation where PHP (32 bit) allows generation
of strings of size larger than 2^31 bytes.

Either way, thank you for replying.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 12 05:01:33 2025 UTC