integer overflow in imap_8bit caused heap corruption
| Bug #73208 | integer overflow in imap_8bit caused heap corruption | ||||
|---|---|---|---|---|---|
| Submitted: | 2016-09-30 09:10 UTC | Modified: | 2017-02-13 01:11 UTC | ||
| From: | minhrau dot vc dot 365 at gmail dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | IMAP related | ||
| PHP Version: | 5.6.27RC1 | OS: | ALL | ||
| Private report: | No | CVE-ID: | None | ||
[2016-09-30 09:10 UTC] minhrau dot vc dot 365 at gmail dot com
Description:
------------
integer overflow in function imap_8bit will cause string length > int max.
PHP_FUNCTION(imap_8bit)
{
char *text, *decode;
int text_len;
unsigned long newlength;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &text, &text_len) == FAILURE) {
return;
}
decode = (char *) rfc822_8bit((unsigned char *) text, text_len, &newlength); //here produce string with length > int max
if (decode == NULL) {
RETURN_FALSE;
}
RETVAL_STRINGL(decode, newlength, 1);
fs_give((void**) &decode);
Test script:
---------------
<?php
ini_set('memory_limit', -1);
$str = str_repeat('รณ', 0xffffffff/10);
var_dump(strlen($str));
$str1 = imap_8bit($str);
var_dump(strlen($str1));
?>
Expected result:
----------------
String length < int max
Actual result:
--------------
negative length value
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2016-10-03 07:13 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-10-03 07:22 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2017-02-13 01:11 UTC] stas@php.net
-Type: Security +Type: Bug