Headline
CVE-2016-5770: : Sec Bug #72262 :: int/size_t confusion in SplFileObject::fread
Integer overflow in the SplFileObject::fread function in spl_directory.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096.
Sec Bug #72262
int/size_t confusion in SplFileObject::fread
Submitted:
2016-05-25 09:44 UTC
Modified:
2016-06-27 00:14 UTC
From:
taoguangchen at icloud dot com
Assigned:
stas (profile)
Status:
Closed
Package:
SPL related
PHP Version:
5.5.35
OS:
Private report:
No
CVE-ID:
2016-5770
[2016-05-25 09:44 UTC] taoguangchen at icloud dot com
Description:
int/size_t confusion in SplFileObject::fread
this bug similar with bug#72114
``` SPL_METHOD(SplFileObject, fread) { spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC); long length = 0;
if (zend\_parse\_parameters(ZEND\_NUM\_ARGS() TSRMLS\_CC, "l", &length) == FAILURE) {
return;
}
if (length <= 0) {
php\_error\_docref(NULL TSRMLS\_CC, E\_WARNING, "Length parameter must be greater than 0");
RETURN\_FALSE;
}
Z\_STRVAL\_P(return\_value) = emalloc(length + 1);
Z\_STRLEN\_P(return\_value) = php\_stream\_read(intern->u.file.stream, Z\_STRVAL\_P(return\_value), length);
/\* needed because recv/read/gzread doesnt put a null at the end\*/
Z\_STRVAL\_P(return\_value)\[Z\_STRLEN\_P(return\_value)\] = 0;
Z\_TYPE\_P(return\_value) = IS\_STRING;
} ```
PoC: ``` <?php
ini_set('memory_limit’, -1); $filename = '/dev/zero’; $file = new SplFileObject($filename, ‘r’); $file->fread(2147483648);
?> ```
Fix: ``` RETURN_FALSE; }
if (length > INT_MAX) {
php\_error\_docref(NULL TSRMLS\_CC, E\_WARNING, "Length parameter must be no more than %d", INT\_MAX);
RETURN\_FALSE;
}
Z_STRVAL_P(return_value) = emalloc(length + 1); ```
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2016-06-16 05:00 UTC] [email protected]
-Assigned To: +Assigned To: stas
[2016-06-21 06:49 UTC] [email protected]
-Status: Assigned +Status: Closed
[2016-06-25 02:13 UTC] seth dot arnold at canonical dot com
What happens if length == INT_MAX? Won’t that cause emalloc(length + 1) to fail?
Thanks
[2016-06-27 00:14 UTC] [email protected]
emalloc gets size_t, so it’ll probably try to allocate a lot of memory - which will most probably fail.
Related news
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.