Skip to content

Memory management is broken for bad dictionaries #16326

Closed
@YuanchengJiang

Description

@YuanchengJiang

Description

The following code:

<?php
require_once __DIR__ . DIRECTORY_SEPARATOR . 'test_offset_helpers.inc';
$fusion = $offsets;
$r = deflate_init(ZLIB_ENCODING_DEFLATE, ["dictionary" => $fusion]);

Resulted in this output:

=================================================================
==2278709==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000264 at pc 0x55876106cf42 bp 0x7ffd9ea46bb0 sp 0x7ffd9ea46ba8
READ of size 4 at 0x603000000264 thread T0
    #0 0x55876106cf41 in zend_mm_free_heap /php-src/Zend/zend_alloc.c:1528:28
    #1 0x558761072825 in _efree /php-src/Zend/zend_alloc.c:2751:2
    #2 0x55875e2bcdb2 in zlib_create_dictionary_string /php-src/ext/zlib/zlib.c:816:9
    #3 0x55875e2c41af in zif_deflate_init /php-src/ext/zlib/zlib.c:1134:7
    #4 0x55876190eda3 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /php-src/Zend/zend_vm_execute.h:1363:2
    #5 0x558761443713 in execute_ex /php-src/Zend/zend_vm_execute.h:58565:7
    #6 0x558761445872 in zend_execute /php-src/Zend/zend_vm_execute.h:64217:2
    #7 0x558762145b01 in zend_execute_script /php-src/Zend/zend.c:1928:3
    #8 0x558760a56798 in php_execute_script_ex /php-src/main/main.c:2574:13
    #9 0x558760a57858 in php_execute_script /php-src/main/main.c:2614:9
    #10 0x558762159276 in do_cli /php-src/sapi/cli/php_cli.c:935:5
    #11 0x558762153944 in main /php-src/sapi/cli/php_cli.c:1310:18
    #12 0x7f44ab6a7d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #13 0x7f44ab6a7e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #14 0x55875da06db4 in _start (/php-src/sapi/cli/php+0x2606db4) (BuildId: 10f0f1f073ebe7bcaf9944c9da559b10d59463b0)

0x603000000264 is located 2 bytes to the right of 18-byte region [0x603000000250,0x603000000262)
allocated by thread T0 here:
    #0 0x55875da8c7de in malloc (/php-src/sapi/cli/php+0x268c7de) (BuildId: 10f0f1f073ebe7bcaf9944c9da559b10d59463b0)
    #1 0x7f44aaa9fee7  (/lib/x86_64-linux-gnu/libtasn1.so.6+0x3ee7) (BuildId: 2fde6ecb43c586fe4077118f771077aa1298e7ea)

SUMMARY: AddressSanitizer: heap-buffer-overflow /php-src/Zend/zend_alloc.c:1528:28 in zend_mm_free_heap
Shadow bytes around the buggy address:
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa 00 00
  0x0c067fff8010: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fff8030: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
=>0x0c067fff8040: 00 fa fa fa 00 00 00 02 fa fa 00 00[02]fa fa fa
  0x0c067fff8050: 00 00 06 fa fa fa 00 00 00 02 fa fa 00 00 02 fa
  0x0c067fff8060: fa fa 00 00 00 02 fa fa 00 00 00 02 fa fa 00 00
  0x0c067fff8070: 06 fa fa fa 00 00 04 fa fa fa 00 00 00 fa fa fa
  0x0c067fff8080: 00 00 04 fa fa fa 00 00 05 fa fa fa 00 00 01 fa
  0x0c067fff8090: fa fa 00 00 01 fa fa fa 00 00 04 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2278709==ABORTING

PHP Version

PHP 8.4.0-dev

Operating System

ubuntu 22.04

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions