1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
This is an overview over existing segfaults in the current PHP source
tree.
Fixed:
mb_convert_encoding (Moriyoshi)
socket_iovec_alloc (Rasmus)
exif_imagetype,exif_thumbnail (Rasmus)
dbase_open (Rasmus)
array_pad (Rasmus)
setlocale (Rasmus)
unregister_tick_function (Rasmus)
bcsub (Rasmus)
str_repeat (Ilia)
imagecopyresized (Ilia)
mhash_keygen_s2k (Ilia)
mb_ereg, mb_ereg_match, mb_eregi, mb_split (Moriyoshi)
xml_parser_create (Moriyoshi)
ob_start (Sascha)
imagecreate/-truecolor (Sascha)
flock (Sascha)
register_shutdown_function (Sascha)
mb_strcut('', [number greater than the length of first arg]) (Moriyoshi)
ext/exif, ext/dba (7) (Marcus)
Open:
the dbase extension (1)
chunk_split (2)
socket_select (3)
php_imagepolygon (4)
imagesetstyle (5)
bundled gd (6)
php_base64_encode (8)
pack (9)
(1) heap corruption, mostly visible in malloc-related calls. Whether you see
this or not might depend on your libc/compiler. Hard to track down,
because the result of the corruption might be quite delayed.
Reproducable with glibc-2.3/gcc 3.2.2 by:
cat <<X | php do_crash
dbase_add_record
dbase_close
dbase_create
dbase_delete_record
dbase_get_record
dbase_get_record_with_names
dbase_numfields
dbase_numrecords
dbase_open
X
(2) integer overflow in php_chunk_split
(3) heap corruption, dies in efree()/execute()
Methodology
1. Use a plain PHP_4_3 tree
2. Use the config.nice from ammendment 1.
3. Download the test script from:
<URL:http://schumann.cx/do_crash.txt>
4a. Use the scripts funcparse.awk/genfunclist.sh from phpdoc/scripts
for creating a plain text function list. Feed that list to
the script. Avoid calls like pcntl_fork. Manually remove functions
which take too long to finish/eat up all memory.
4b. For testing a single function, echo the name of the function to
the script like this:
echo dbase_open | php do_crash.txt
(4) integer overflow inside php_imagepolygon and possible subsequent
integer overflows inside gdlib's gdImageFilledPolygon().
(5) integer overflow if the number of elements in the array passed as
second argument * sizeof(int) result in an overflow.
gdImageSetStyle function called by this php wrapper can die for the
same reason.
(6) multiple integer overflows that can occur when trying to allocate a buffer
for a new image. Affected functions:
gdImageCreateFromJpegCtx
readwbmp
gdImageCreateFromXpm
gdImageCreateFromPngCtx
gdImagePngCtx
gdImageCreateFromJpegCtx
gdImageJpegCtx
gdImageCreateFromGd2Ctx
gdImageCreateFromGd2PartCtx
_gdImageGd2
GetDataBlock (gd_gif_in.c)
(7) few possible integer overflows, once safe_emalloc() or something similar
is implemented they can all be addressed.
(8) integer overflow if the specified string is longer then ~1.1 billion bytes.
(9) multiple integer overflows, ex. pack("d4294967297", 2);
Ammendment 1.
CFLAGS='-O0 -g' \
'../src/php4/configure' \
'--enable-pcntl' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-wddx' \
'--enable-yp' \
'--enable-filepro' \
'--enable-ftp' \
'--enable-dba' \
'--enable-dbase' \
'--enable-dio' \
'--enable-exif' \
'--enable-mbstring' \
'--enable-mbregex' \
'--enable-sockets' \
'--enable-bcmath' \
'--enable-calendar' \
'--enable-pcntl' \
'--enable-shmop' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-wddx' \
'--enable-yp' \
'--enable-filepro' \
'--enable-ftp' \
'--enable-dba' \
'--enable-dbase' \
'--enable-dio' \
'--enable-exif' \
'--enable-mbstring' \
'--enable-mbregex' \
'--enable-sockets' \
'--enable-bcmath' \
'--enable-calendar' \
"$@"
|