integer overflow in fgets cause heap corruption
| Bug #73011 | integer overflow in fgets cause heap corruption | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-09-04 11:37 UTC | Modified: | 2017-02-13 01:25 UTC | ||
| From: | minhrau dot vc dot 365 at gmail dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | Filesystem function related | ||
| PHP Version: | 5.6.25 | OS: | ALL | ||
| Private report: | No | CVE-ID: | None | ||
[2016-09-04 11:37 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
Integer overflow in function fgets lead to heap corruption. Please check comment below:
PHPAPI PHP_FUNCTION(fgets)
{
zval *res;
long len = 1024;
char *buf = NULL;
int argc = ZEND_NUM_ARGS();
size_t line_len = 0;
php_stream *stream;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|l", &res, &len) == FAILURE) {
RETURN_FALSE;
}
PHP_STREAM_TO_ZVAL(stream, &res);
if (argc == 1) {
/* ask streams to give us a buffer of an appropriate size */
buf = php_stream_get_line(stream, NULL, 0, &line_len); //<- return string with size_t length
if (buf == NULL) {
goto exit_failed;
}
} else if (argc > 1) {
if (len <= 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be greater than 0");
RETURN_FALSE;
}
buf = ecalloc(len + 1, sizeof(char));
if (php_stream_get_line(stream, buf, len, &line_len) == NULL) {
goto exit_failed;
}
}
//didn't check for len > INT_MAX
ZVAL_STRINGL(return_value, buf, line_len, 0);
Test script:
---------------
<?php
ini_set('memory_limit', -1);
$fd = fopen("/opt/lampp/htdocs/a", "r"); //file a with line > max_int
$str1 = fgets($fd);
var_dump(strlen($str1));
chunk_split($str1, 11, $str1);
?>
Expected result:
----------------
No Crash
Actual result:
--------------
Starting program: /home/minhrau/PHP-5.6.25/sapi/cli/php ~/phptestcase/testfgets.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
int(-2147483523)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff10a59a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007ffff10a59a4 in __memmove_avx_unaligned_erms () from /usr/lib/libc.so.6
#1 0x000000000085c99e in zif_chunk_split (ht=3, return_value=0x7ffff7fa14c0, return_value_ptr=0x7ffff7f6c0d8, this_ptr=0x0, return_value_used=0) at /home/minhrau/PHP-5.6.25/ext/standard/string.c:2218
#2 0x00000000009cca94 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:558
#3 0x00000000009d46c4 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:2602
#4 0x00000000009caf87 in execute_ex (execute_data=0x7ffff7f6c210) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:363
#5 0x00000000009cb973 in zend_execute (op_array=0x7ffff7fa08d8) at /home/minhrau/PHP-5.6.25/Zend/zend_vm_execute.h:388
#6 0x0000000000986e73 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/minhrau/PHP-5.6.25/Zend/zend.c:1341
#7 0x00000000008f7dcf in php_execute_script (primary_file=0x7fffffffe2a0) at /home/minhrau/PHP-5.6.25/main/main.c:2613
#8 0x0000000000aa9bf5 in do_cli (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:994
#9 0x0000000000aaac43 in main (argc=2, argv=0x1381960) at /home/minhrau/PHP-5.6.25/sapi/cli/php_cli.c:1378
(gdb)
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-09-04 11:39 UTC] minhrau dot vc dot 365 at gmail dot com
-Package: *General Issues +Package: Filesystem function related
[2016-09-04 11:39 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-09-05 05:22 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-09-05 05:26 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2016-09-13 04:12 UTC] stas@php.net
[2017-02-13 01:25 UTC] stas@php.net
-Type: Security +Type: Bug