From 0f21cbc57c0f210cc5ea35b78f354cf2e0949e0e Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Mon, 27 Feb 2023 19:44:42 +0100 Subject: [PATCH] Fix GH-10715: phpdbg heap buffer overflow -- by misuse of the option "--run" Fixes GH-10715 When a string starting with a NUL character is passed to phpdbg_vprint(), the vasprintf() will return that 0 characters have been printed. This causes msglen == 0. When phpdbg_process_print() is called with a message of length 0, the -1 to check for '\n' will perform an out of bounds read. Since nothing is printed anyway for msglen == 0, it seems best to just skip the printing routine for this case. Closes GH-10720. --- NEWS | 3 +++ sapi/phpdbg/phpdbg_out.c | 6 +++++- sapi/phpdbg/tests/gh10715.phpt | Bin 0 -> 192 bytes 3 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 sapi/phpdbg/tests/gh10715.phpt diff --git a/NEWS b/NEWS index 5f048e0f89a..5e940ee0217 100644 --- a/NEWS +++ b/NEWS @@ -61,6 +61,9 @@ PHP NEWS . Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars). (Michael Voříšek) +- PHPDBG: + . Fixed bug GH-10715 (heap buffer overflow on --run option misuse). (nielsdos) + - PGSQL: . Fix GH-10672 (pg_lo_open segfaults in the strict_types mode). (girgias) diff --git a/sapi/phpdbg/phpdbg_out.c b/sapi/phpdbg/phpdbg_out.c index a6eb84de2c1..af2f3b98d2b 100644 --- a/sapi/phpdbg/phpdbg_out.c +++ b/sapi/phpdbg/phpdbg_out.c @@ -143,7 +143,11 @@ PHPDBG_API int phpdbg_vprint(int type, int fd, const char *strfmt, va_list args) return msglen; } - len = phpdbg_process_print(fd, type, msg, msglen); + if (UNEXPECTED(msglen == 0)) { + len = 0; + } else { + len = phpdbg_process_print(fd, type, msg, msglen); + } if (msg) { free(msg); diff --git a/sapi/phpdbg/tests/gh10715.phpt b/sapi/phpdbg/tests/gh10715.phpt new file mode 100644 index 0000000000000000000000000000000000000000..13edd9afdd8f05df2744b3d5d1257c827d219c40 GIT binary patch literal 192 zcmX|(JqyAx6h)o$D;@