Skip to content

Fix Bug #80972: Memory exhaustion on invalid string offset (PHP7) #6909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ PHP NEWS
(cmb)
. Fixed bug #67792 (HTTP Authorization schemes are treated as case-sensitive).
(cmb)
. Fixed bug Bug #80972 (Memory exhaustion on invalid string offset). (girgias)

- pgsql:
. Fixed php_pgsql_fd_cast() wrt. php_stream_can_cast(). (cmb)
Expand Down Expand Up @@ -210,7 +211,7 @@ PHP NEWS
PROCEDURE resultset SIGNAL). (Nikita)

- Standard:
. Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo).
. Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo).
(CVE-2020-7071) (cmb)
. Fixed bug #80366 (Return Value of zend_fstat() not Checked). (sagpant, cmb)
. Fixed bug #80411 (References to null-serialized object break serialize()).
Expand Down Expand Up @@ -349,7 +350,7 @@ PHP NEWS
. Fixed bug #80048 (Bug #69100 has not been fixed for Windows). (cmb)
. Fixed bug #80049 (Memleak when coercing integers to string via variadic
argument). (Nikita)
. Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-`
. Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-`
cookies can be sent). (CVE-2020-7070) (Stas)

- Calendar:
Expand All @@ -368,7 +369,7 @@ PHP NEWS
handlers changed). (SammyK)

- OpenSSL:
. Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12
. Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12
bytes IV). (CVE-2020-7069) (Jakub Zelenka)

- PDO:
Expand Down Expand Up @@ -450,7 +451,7 @@ PHP NEWS
(cmb)

- Core:
. Fixed bug #79877 (getimagesize function silently truncates after a null
. Fixed bug #79877 (getimagesize function silently truncates after a null
byte) (cmb)
. Fixed bug #79740 (serialize() and unserialize() methods can not be called
statically). (Nikita)
Expand Down Expand Up @@ -511,7 +512,7 @@ PHP NEWS
. Fixed possibly unsupported timercmp() usage. (cmb)

- Exif:
. Fixed bug #79687 (Sony picture - PHP Warning - Make, Model, MakerNotes).
. Fixed bug #79687 (Sony picture - PHP Warning - Make, Model, MakerNotes).
(cmb)

- Fileinfo:
Expand Down Expand Up @@ -727,7 +728,7 @@ PHP NEWS
. Fixed bug #79014 (PHP-FPM & Primary script unknown). (Jakub Zelenka)

- MBstring:
. Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at
. Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at
php_unicode_tolower_full). (CVE-2020-7065) (cmb)

- MySQLi:
Expand Down
41 changes: 41 additions & 0 deletions Zend/tests/bug80972.phpt
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
--TEST--
Bug #80972: Memory exhaustion on invalid string offset
--FILE--
<?php

function exceptions_error_handler($severity, $message, $filename, $lineno) {
if (error_reporting() & $severity) {
throw new ErrorException($message, 0, $severity, $filename, $lineno);
}
}
set_error_handler('exceptions_error_handler');

$float = 10e120;
$string_float = (string) $float;

$string = 'Here is some text for good measure';

try {
echo 'Float casted to string compile', \PHP_EOL;
$string[(string) 10e120] = 'E';
var_dump($string);
} catch (\Throwable $e) {
echo $e->getMessage(), \PHP_EOL;
}

/* This same bug also permits to modify the first byte of a string even if
* the offset is invalid */
try {
/* This must not affect the string value */
$string["wrong"] = "f";
} catch (\Throwable $e) {
echo $e->getMessage() . \PHP_EOL;
}
var_dump($string);

?>
--EXPECT--
Float casted to string compile
Illegal string offset '1.0E+121'
Illegal string offset 'wrong'
string(34) "Here is some text for good measure"
6 changes: 6 additions & 0 deletions Zend/zend_execute.c
Original file line number Diff line number Diff line change
Expand Up @@ -1550,6 +1550,12 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
zend_long offset;

offset = zend_check_string_offset(dim, BP_VAR_W EXECUTE_DATA_CC);
if (UNEXPECTED(EG(exception) != NULL)) {
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
ZVAL_UNDEF(EX_VAR(opline->result.var));
}
return;
}
if (offset < -(zend_long)Z_STRLEN_P(str)) {
/* Error on negative offset */
zend_error(E_WARNING, "Illegal string offset: " ZEND_LONG_FMT, offset);
Expand Down