ext/standard: reject a dechunk chunk size that overflows size_t#171
Closed
iliaal wants to merge 4 commits into
Closed
ext/standard: reject a dechunk chunk size that overflows size_t#171iliaal wants to merge 4 commits into
iliaal wants to merge 4 commits into
Conversation
iliaal
force-pushed
the
std-ss007-dechunk-size-overflow
branch
from
July 16, 2026 18:56
e742195 to
70bcfdb
Compare
iliaal
force-pushed
the
std-ss007-dechunk-size-overflow
branch
from
July 16, 2026 20:10
70bcfdb to
48610c3
Compare
make_http_soap_request() looked for the reason phrase with strstr(tmp, " ") even when the first strstr() found no space, which happens for a status line carrying a version but no status code, such as "HTTP/1.1". tmp is NULL there, so strstr() dereferenced it and the client crashed. Only parse the reason phrase when a status code field was present. Closes phpGH-22761
php_ftp_dirstream_read() sized the basename copy with MIN(sizeof(ent->d_name), ZSTR_LEN(basename) - 1) and wrote the terminator at [tmp_len - 1]. An empty listing line leaves a basename of length 1, so tmp_len is 0 and the NUL lands one byte before d_name; a slash-only line leaves length 0, so the subtraction underflows to SIZE_MAX and memcpy() reads 4096 bytes past the interned empty string. The same off-by-one truncated entry names that do not end in CRLF. Closes phpGH-22768
odbc_sqlconnect() stripped a trailing semicolon by writing a NUL into the Z_PARAM_STRING buffer, which is a zend_string. Shared variables, interned literals, and const values used as the DSN were permanently altered (strlen unchanged, last byte became NUL). Compute the base length instead and pass it to spprintf with %.*s, matching the non-mutating approach used when assembling UID/PWD into the connect string. Closes phpGH-22776
php_dechunk() accumulated the hex chunk size with chunk_size * 16 + digit and never checked the multiply, so a size of 2^64 wrapped to 0. A zero size reads as the terminating chunk, so the filter stopped there and dropped the body it had been handed. Error out instead, as the other malformed-size cases already do.
iliaal
force-pushed
the
std-ss007-dechunk-size-overflow
branch
from
July 17, 2026 14:04
48610c3 to
36ba49e
Compare
Owner
Author
|
Promoted upstream: php#22786. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
php_dechunk()accumulated the hex chunk size withchunk_size * 16 + digitand never checked the multiply. A size of10000000000000000is 2^64, which wraps to 0, and 0 reads as the terminating chunk, so the filter stops and drops the body it was handed:The guard is hoisted out of the three digit branches rather than repeated in each, which needs the digit value computed first.
SIZE_MAX / 16is sufficient for the add as well: the largest value that survives it isSIZE_MAX / 16, andSIZE_MAX / 16 * 16 + 15is exactlySIZE_MAX.Floor: PHP-8.4.