Headline

CVE-2016-5770: : Sec Bug #72262 :: int/size_t confusion in SplFileObject::fread

Integer overflow in the SplFileObject::fread function in spl_directory.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096.

8 years ago

CVE

Open in Source

#dos #git #php

Sec Bug #72262

int/size_t confusion in SplFileObject::fread

Submitted:

2016-05-25 09:44 UTC

Modified:

2016-06-27 00:14 UTC

From:

taoguangchen at icloud dot com

Assigned:

stas (profile)

Status:

Closed

Package:

SPL related

PHP Version:

5.5.35

OS:

Private report:

CVE-ID:

2016-5770

[2016-05-25 09:44 UTC] taoguangchen at icloud dot com

Description:

int/size_t confusion in SplFileObject::fread

this bug similar with bug#72114

``` SPL_METHOD(SplFileObject, fread) { spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC); long length = 0;

if (zend\_parse\_parameters(ZEND\_NUM\_ARGS() TSRMLS\_CC, "l", &length) == FAILURE) {
    return;
}

if (length <= 0) {
    php\_error\_docref(NULL TSRMLS\_CC, E\_WARNING, "Length parameter must be greater than 0");
    RETURN\_FALSE;
}

Z\_STRVAL\_P(return\_value) = emalloc(length + 1);
Z\_STRLEN\_P(return\_value) = php\_stream\_read(intern->u.file.stream, Z\_STRVAL\_P(return\_value), length);

/\* needed because recv/read/gzread doesnt put a null at the end\*/
Z\_STRVAL\_P(return\_value)\[Z\_STRLEN\_P(return\_value)\] = 0;
Z\_TYPE\_P(return\_value) = IS\_STRING;

} ```

PoC: ``` <?php

ini_set('memory_limit’, -1); $filename = '/dev/zero’; $file = new SplFileObject($filename, ‘r’); $file->fread(2147483648);

?> ```

Fix: ``` RETURN_FALSE; }

if (length > INT_MAX) {

  php\_error\_docref(NULL TSRMLS\_CC, E\_WARNING, "Length parameter must be no more than %d", INT\_MAX);

```
  RETURN\_FALSE;
```
}

Z_STRVAL_P(return_value) = emalloc(length + 1); ```

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-06-16 05:00 UTC] [email protected]

-Assigned To: +Assigned To: stas

[2016-06-21 06:49 UTC] [email protected]

-Status: Assigned +Status: Closed

[2016-06-25 02:13 UTC] seth dot arnold at canonical dot com

What happens if length == INT_MAX? Won’t that cause emalloc(length + 1) to fail?

Thanks

[2016-06-27 00:14 UTC] [email protected]

emalloc gets size_t, so it’ll probably try to allocate a lot of memory - which will most probably fail.

Related news

CVE-2016-5771: PHP: PHP 5 ChangeLog

spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.

CVE-2014-3479: PHP: PHP 5 ChangeLog

The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.