PHP :: Bug #67252 :: convert_uudecode out-of-bounds read
[2014-05-12 03:22 UTC] stas@php.net
Description: ------------ convert_uudecode does not check the string length and thus tries to read past string end on short strings. Test script: --------------- $a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."!."; Expected result: ---------------- no memory errors Actual result: -------------- ==4264== Invalid read of size 1 ==4264== at 0x7B9FCA: php_uudecode (uuencode.c:156) ==4264== by 0x7BA0FB: zif_convert_uudecode (uuencode.c:216) ==4264== by 0x8FA502: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:550) ==4264== by 0x8EBD9F: execute_ex (zend_vm_execute.h:363) ==4264== by 0x877B28: zend_execute_scripts (zend.c:1316) ==4264== by 0x819828: php_execute_script (main.c:2506) ==4264== by 0x92863B: do_cli (php_cli.c:994) ==4264== by 0x928DD7: main (php_cli.c:1378) ==4264== Address 0x15ffb671 is 0 bytes after a block of size 65 alloc'd ==4264== at 0x4C26FDE: malloc (vg_replace_malloc.c:236) ==4264== by 0x870014: concat_function (zend_operators.c:1329) ==4264== by 0x8D835F: ZEND_CONCAT_SPEC_TMP_CONST_HANDLER (zend_vm_execute.h:8510) ==4264== by 0x8EBD9F: execute_ex (zend_vm_execute.h:363) ==4264== by 0x877B28: zend_execute_scripts (zend.c:1316) ==4264== by 0x819828: php_execute_script (main.c:2506) ==4264== by 0x92863B: do_cli (php_cli.c:994) ==4264== by 0x928DD7: main (php_cli.c:1378)
[2014-05-12 03:23 UTC] stas@php.net
[2014-05-14 00:16 UTC] stas@php.net
-Status: Open +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas
[2014-05-14 00:16 UTC] stas@php.net