PHP :: Sec Bug #71906 :: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
| Sec Bug #71906 | AddressSanitizer: negative-size-param (-1) in mbfl_strcut | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-03-26 23:29 UTC | Modified: | 2016-04-25 17:06 UTC | ||
| From: | fernando at null-life dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | mbstring related | ||
| PHP Version: | 5.5.33 | OS: | |||
| Private report: | No | CVE-ID: | 2016-4073 | ||
[2016-03-26 23:29 UTC] fernando at null-life dot com
Description:
------------
1. Compile PHP with ASAN enabled.
2. Run attached test case on 32 bits.
php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2858
2858 if (len < 0) {
(gdb) print len
$64 = 2147483647
This value will later set the sz value to -1, and that value is used inside memcpy.
php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1542
1560 sz = end - start;
...
1568 memcpy(w, start, sz);
Test script:
---------------
<?php
$var1="AAAA";
$var2=1;
$var3=2147483647; //max int
mb_strcut($var1, $var2, $var3);
Expected result:
----------------
Not crash
Actual result:
--------------
=================================================================
==415==ERROR: AddressSanitizer: negative-size-param: (size=-1)
#0 0xb7ae5b04 in __asan_memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ab04)
#1 0xb7ae5c2f in memcpy (/usr/lib/i386-linux-gnu/libasan.so.2+0x8ac2f)
#2 0x87cb167 in memcpy /usr/include/i386-linux-gnu/bits/string3.h:53
#3 0x87cb167 in mbfl_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/libmbfl/mbfl/mbfilter.c:1568
#4 0x87fcb5e in zif_mb_strcut /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/ext/mbstring/mbstring.c:2869
#5 0x9a3a625 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:558
#6 0x9626675 in execute_ex /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:363
#7 0x97d2a43 in zend_execute /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_vm_execute.h:388
#8 0x94291fb in zend_execute_scripts /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend.c:1341
#9 0x912def5 in php_execute_script /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/main/main.c:2597
#10 0x9a47448 in do_cli /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:994
#11 0x8087418 in main /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php_cli.c:1378
#12 0xb7640645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
#13 0x80879eb (/home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/sapi/cli/php+0x80879eb)
0xb3017411 is located 97297 bytes inside of 1048576-byte region [0xb2fff800,0xb30ff800)
allocated by thread T0 here:
#0 0xb7af1d06 in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96d06)
#1 0x954157e in zend_interned_strings_init /home/fmunozs/phpasan/php5-5.6.17+dfsg.orig/Zend/zend_string.c:48
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-03-28 08:22 UTC] stas@php.net
-PHP Version: 5.6.19 +PHP Version: 5.5.33
[2016-03-28 08:27 UTC] stas@php.net
[2016-03-29 00:29 UTC] fernando at null-life dot com
[2016-03-29 06:47 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-03-29 06:55 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2016-04-25 17:06 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4073