Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 97f8ca5

Browse files
GirgiasGirgias
committed
Fix Bug #80972: Memory exhaustion on invalid string offset
Closes GH-6909
1 parent a277129 commit 97f8ca5

File tree

3 files changed

+54
-6
lines changed

3 files changed

+54
-6
lines changed

NEWS

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ PHP NEWS
99
(cmb)
1010
. Fixed bug #67792 (HTTP Authorization schemes are treated as case-sensitive).
1111
(cmb)
12+
. Fixed bug Bug #80972 (Memory exhaustion on invalid string offset). (girgias)
1213

1314
- pgsql:
1415
. Fixed php_pgsql_fd_cast() wrt. php_stream_can_cast(). (cmb)
@@ -210,7 +211,7 @@ PHP NEWS
210211
PROCEDURE resultset SIGNAL). (Nikita)
211212

212213
- Standard:
213-
. Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo).
214+
. Fixed bug #77423 (FILTER_VALIDATE_URL accepts URLs with invalid userinfo).
214215
(CVE-2020-7071) (cmb)
215216
. Fixed bug #80366 (Return Value of zend_fstat() not Checked). (sagpant, cmb)
216217
. Fixed bug #80411 (References to null-serialized object break serialize()).
@@ -349,7 +350,7 @@ PHP NEWS
349350
. Fixed bug #80048 (Bug #69100 has not been fixed for Windows). (cmb)
350351
. Fixed bug #80049 (Memleak when coercing integers to string via variadic
351352
argument). (Nikita)
352-
. Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-`
353+
. Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-`
353354
cookies can be sent). (CVE-2020-7070) (Stas)
354355

355356
- Calendar:
@@ -368,7 +369,7 @@ PHP NEWS
368369
handlers changed). (SammyK)
369370

370371
- OpenSSL:
371-
. Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12
372+
. Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12
372373
bytes IV). (CVE-2020-7069) (Jakub Zelenka)
373374

374375
- PDO:
@@ -450,7 +451,7 @@ PHP NEWS
450451
(cmb)
451452

452453
- Core:
453-
. Fixed bug #79877 (getimagesize function silently truncates after a null
454+
. Fixed bug #79877 (getimagesize function silently truncates after a null
454455
byte) (cmb)
455456
. Fixed bug #79740 (serialize() and unserialize() methods can not be called
456457
statically). (Nikita)
@@ -511,7 +512,7 @@ PHP NEWS
511512
. Fixed possibly unsupported timercmp() usage. (cmb)
512513

513514
- Exif:
514-
. Fixed bug #79687 (Sony picture - PHP Warning - Make, Model, MakerNotes).
515+
. Fixed bug #79687 (Sony picture - PHP Warning - Make, Model, MakerNotes).
515516
(cmb)
516517

517518
- Fileinfo:
@@ -727,7 +728,7 @@ PHP NEWS
727728
. Fixed bug #79014 (PHP-FPM & Primary script unknown). (Jakub Zelenka)
728729

729730
- MBstring:
730-
. Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at
731+
. Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at
731732
php_unicode_tolower_full). (CVE-2020-7065) (cmb)
732733

733734
- MySQLi:

Zend/tests/bug80972.phpt

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
--TEST--
2+
Bug #80972: Memory exhaustion on invalid string offset
3+
--FILE--
4+
<?php
5+
6+
function exceptions_error_handler($severity, $message, $filename, $lineno) {
7+
if (error_reporting() & $severity) {
8+
throw new ErrorException($message, 0, $severity, $filename, $lineno);
9+
}
10+
}
11+
set_error_handler('exceptions_error_handler');
12+
13+
$float = 10e120;
14+
$string_float = (string) $float;
15+
16+
$string = 'Here is some text for good measure';
17+
18+
try {
19+
echo 'Float casted to string compile', \PHP_EOL;
20+
$string[(string) 10e120] = 'E';
21+
var_dump($string);
22+
} catch (\Throwable $e) {
23+
echo $e->getMessage(), \PHP_EOL;
24+
}
25+
26+
/* This same bug also permits to modify the first byte of a string even if
27+
* the offset is invalid */
28+
try {
29+
/* This must not affect the string value */
30+
$string["wrong"] = "f";
31+
} catch (\Throwable $e) {
32+
echo $e->getMessage() . \PHP_EOL;
33+
}
34+
var_dump($string);
35+
36+
?>
37+
--EXPECT--
38+
Float casted to string compile
39+
Illegal string offset '1.0E+121'
40+
Illegal string offset 'wrong'
41+
string(34) "Here is some text for good measure"

Zend/zend_execute.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1550,6 +1550,12 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
15501550
zend_long offset;
15511551

15521552
offset = zend_check_string_offset(dim, BP_VAR_W EXECUTE_DATA_CC);
1553+
if (UNEXPECTED(EG(exception) != NULL)) {
1554+
if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
1555+
ZVAL_UNDEF(EX_VAR(opline->result.var));
1556+
}
1557+
return;
1558+
}
15531559
if (offset < -(zend_long)Z_STRLEN_P(str)) {
15541560
/* Error on negative offset */
15551561
zend_error(E_WARNING, "Illegal string offset: " ZEND_LONG_FMT, offset);

0 commit comments

Comments
 (0)