Skip to content

Stack buffer overflow ext/bcmath/libbcmath/src/div.c:464:12 in bc_divide #16978

Closed
@YuanchengJiang

Description

@YuanchengJiang

Description

The following code:

<?php
$file = $dirname . 'tmp.zip';
$zip = new ZipArchive;
if (!$zip->open($file, ZipArchive::CREATE)) {
}
$zip->addFromString('�', __FILE__, ZipArchive::FL_ENC_UTF_8);
$fusion = $zip;
require(__DIR__ . "/run_bcmath_tests_function.inc");
$exponents = ["252", "-112"];
run_bcmath_tests($fusion, $exponents, "**", bcpow(...));

Resulted in this output:

=================================================================
==845608==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffedda3eff0 at pc 0x000000e6e458 bp 0x7ffedda3e380 sp 0x7ffedda3e378
WRITE of size 1 at 0x7ffedda3eff0 thread T0
    #0 0xe6e457 in bc_divide /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/bcmath/libbcmath/src/div.c:464:12
    #1 0xe83120 in bc_raise /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/bcmath/libbcmath/src/raise.c:95:7
    #2 0xe41e90 in zif_bcpow /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/bcmath/bcmath.c:618:7
    #3 0x3d67ff8 in zend_closure_internal_handler /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_closures.c:724:2
    #4 0x4291997 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:2037:4
    #5 0x3fb01c7 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #6 0x3fb244c in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #7 0x4d48a09 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #8 0x355e25a in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #9 0x355f398 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #10 0x4d5cd1a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #11 0x4d571ff in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #12 0x7f282fcddd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x7f282fcdde3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x605a64 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605a64)

Address 0x7ffedda3eff0 is located in stack of thread T0 at offset 496 in frame
    #0 0xe3ffff in zif_bcpow /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/bcmath/bcmath.c:571

  This frame has 8 object(s):
    [32, 40) 'base_str' (line 572)
    [64, 72) 'exponent_str' (line 572)
    [96, 104) 'scale_param' (line 573)
    [128, 129) 'scale_param_is_null' (line 574)
    [144, 152) 'first' (line 575)
    [176, 184) 'bc_exponent' (line 575)
    [208, 216) 'result' (line 575)
    [240, 496) 'bc_arena' (line 593) <== Memory access at offset 496 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/bcmath/libbcmath/src/div.c:464:12 in bc_divide
Shadow bytes around the buggy address:
  0x10005bb3fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005bb3fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005bb3fdc0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
  0x10005bb3fdd0: 01 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 00
  0x10005bb3fde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005bb3fdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
  0x10005bb3fe00: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10005bb3fe10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005bb3fe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005bb3fe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005bb3fe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==845608==ABORTING

PHP Version

nightly

Operating System

ubuntu 22.04

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions