PHP :: Sec Bug #54304 :: Invalid read in RegexIterator::accept() causes crash
| Sec Bug #54304 | Invalid read in RegexIterator::accept() causes crash | ||||
|---|---|---|---|---|---|
| Submitted: | 2011-03-18 11:21 UTC | Modified: | 2011-09-12 13:22 UTC | ||
| From: | decoder-php at own-hero dot net | Assigned: | pajoye (profile) | ||
| Status: | Closed | Package: | Reproducible crash | ||
| PHP Version: | 5.3.6 | OS: | Linux x86-64 | ||
| Private report: | No | CVE-ID: | None | ||
[2011-03-18 11:21 UTC] decoder-php at own-hero dot net
Description:
------------
The attached code crashes on PHP 5.3 and trunk. It seems particularly dangerous because the address where the invalid read happens is directly assignable. I didn't have more time to look into this but it might be possible to do arbitrary memory reading with this vulnerability.
Test script:
---------------
<?php
class foo extends ArrayIterator {
public function __construct( ) {
parent::__construct(array(
'test3'=>'test999'));
}
}
$h = new foo;
$i = new RegexIterator($h, '/^test(.*)/', RegexIterator::REPLACE);
$i->replacement = 3735928559; // 0xdeadbeef
foreach ($i as $name=>$value) {
}
?>
Actual result:
--------------
==22309== Invalid read of size 1
==22309== at 0x497700: php_pcre_replace_impl (php_pcre.c:1088)
==22309== by 0x62E77E: zim_spl_RegexIterator_accept (spl_iterators.c:1919)
==22309== by 0x7C3A40: zend_call_function (zend_execute_API.c:986)
==22309== by 0x7EF6A1: zend_call_method (zend_interfaces.c:97)
==22309== by 0x62DD39: spl_filter_it_fetch (spl_iterators.c:1724)
==22309== by 0x62DE07: spl_filter_it_rewind (spl_iterators.c:1743)
==22309== by 0x62DE96: zim_spl_FilterIterator_rewind (spl_iterators.c:1763)
==22309== by 0x7C3A40: zend_call_function (zend_execute_API.c:986)
==22309== by 0x7EF6A1: zend_call_method (zend_interfaces.c:97)
==22309== by 0x7EFCFF: zend_user_it_rewind (zend_interfaces.c:261)
==22309== by 0x88CBE0: ZEND_FE_RESET_SPEC_CV_HANDLER (zend_vm_execute.h:22724)
==22309== by 0x80693D: execute (zend_vm_execute.h:107)
==22309== Address 0xdeadbeef is not stack'd, malloc'd or (recently) free'd
==22309==
==22309==
==22309== Process terminating with default action of signal 11 (SIGSEGV)
==22309== Access not within mapped region at address 0xDEADBEEF
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2011-03-23 01:58 UTC] felipe@php.net
-Summary: Crash in php_pcre_replace_impl +Summary: Invalid read in RegexIterator::accept() causes crash
[2011-09-12 11:46 UTC] bjori@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: bjori
[2011-09-12 12:09 UTC] pajoye@php.net
-Status: Closed +Status: Re-Opened
[2011-09-12 12:09 UTC] pajoye@php.net
[2011-09-12 13:04 UTC] pajoye@php.net
-Assigned To: bjori +Assigned To: pajoye
[2011-09-12 13:04 UTC] pajoye@php.net
[2011-09-12 13:22 UTC] bjori@php.net
-Status: Re-Opened +Status: Closed