Fix Bug #80972: Memory exhaustion on invalid string offset

Closes GH-6890
2024-11-23 18:04:36 +08:00 · 2021-04-20 19:20:42 +01:00 · 2021-04-20 19:20:42 +01:00 · 418fcd22e8
commit 418fcd22e8
parent fe219d912e
6 changed files with 54 additions and 7 deletions
--- a/1
+++ b/1
@ -7,6 +7,7 @@ PHP                                                                        NEWS
    (cmb)
  . Fixed bug #67792 (HTTP Authorization schemes are treated as case-sensitive).
    (cmb)
+  . Fixed bug Bug #80972 (Memory exhaustion on invalid string offset). (girgias)

 - pgsql:
  . Fixed php_pgsql_fd_cast() wrt. php_stream_can_cast(). (cmb)
--- a/Zend/tests/bug31098.phpt
+++ b/Zend/tests/bug31098.phpt
@ -35,11 +35,12 @@ try {
 }
 echo $simpleString["0"] === "B"?"ok\n":"bug\n";
 try {
+    /* This must not affect the string value */
    $simpleString["wrong"] = "f";
 } catch (\TypeError $e) {
    echo $e->getMessage() . \PHP_EOL;
 }
-echo $simpleString["0"] === "f"?"ok\n":"bug\n";
+echo $simpleString["0"] === "B"?"ok\n":"bug\n";
 ?>
 --EXPECTF--
 bool(false)
--- a/Zend/tests/bug53432.phpt
+++ b/Zend/tests/bug53432.phpt
@ -58,7 +58,7 @@ Warning: Illegal string offset -1 in %s on line %d
 NULL
 string(0) ""
 Cannot access offset of type string on string
-string(1) "a"
+string(0) ""
 Error: [] operator not supported for strings
 string(0) ""
 Error: Cannot use assign-op operators with string offsets
--- a/Zend/tests/bug80972.phpt
+++ b/Zend/tests/bug80972.phpt
@ -0,0 +1,41 @@
+--TEST--
+Bug #80972: Memory exhaustion on invalid string offset
+--FILE--
+<?php
+
+function exceptions_error_handler($severity, $message, $filename, $lineno) {
+    if (error_reporting() & $severity) {
+        throw new ErrorException($message, 0, $severity, $filename, $lineno);
+    }
+}
+set_error_handler('exceptions_error_handler');
+
+$float = 10e120;
+$string_float = (string) $float;
+
+$string = 'Here is some text for good measure';
+
+try {
+    echo 'Float casted to string compile', \PHP_EOL;
+    $string[(string) 10e120] = 'E';
+    var_dump($string);
+} catch (\TypeError $e) {
+    echo $e->getMessage(), \PHP_EOL;
+}
+
+/* This same bug also permits to modify the first byte of a string even if
+ * the offset is invalid */
+try {
+    /* This must not affect the string value */
+    $string["wrong"] = "f";
+} catch (\Throwable $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
+var_dump($string);
+
+?>
+--EXPECT--
+Float casted to string compile
+Cannot access offset of type string on string
+Cannot access offset of type string on string
+string(34) "Here is some text for good measure"
--- a/Zend/tests/indexing_001.phpt
+++ b/Zend/tests/indexing_001.phpt
@ -52,7 +52,7 @@ foreach ($testvalues as $testvalue) {
 }

 ?>
--EXPECTF--
+--EXPECT--
 *** Indexing - Testing value assignment with key ***
 array(1) {
  ["foo"]=>
@ -74,12 +74,8 @@ array(1) {
    int(1)
  }
 }
-
-Warning: Array to string conversion in %s on line %d
 Cannot access offset of type string on string
 string(0) ""
-
-Warning: Array to string conversion in %s on line %d
 Cannot access offset of type string on string
 string(1) " "
 Cannot use a scalar value as an array
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@ -1525,6 +1525,14 @@ static zend_never_inline void zend_assign_to_string_offset(zval *str, zval *dim,
 	zend_long offset;

 	offset = zend_check_string_offset(dim, BP_VAR_W EXECUTE_DATA_CC);
+	/* Illegal offset assignment */
+	if (UNEXPECTED(EG(exception) != NULL)) {
+		if (UNEXPECTED(RETURN_VALUE_USED(opline))) {
+			ZVAL_UNDEF(EX_VAR(opline->result.var));
+		}
+		return;
+	}
+
 	if (offset < -(zend_long)Z_STRLEN_P(str)) {
 		/* Error on negative offset */
 		zend_error(E_WARNING, "Illegal string offset " ZEND_LONG_FMT, offset);