Bugzilla – Bug 827317
VUL-1: CVE-2013-2110: php53: php_quot_print_encode heap based overflow
Last modified: 2014-06-12 15:17:49 UTC
is public, via cve db
Heap-based buffer overflow in the php_quot_print_encode function in ext/standard/quot_print.c in PHP before 5.3.26 and 5.4.x before 5.4.16 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted argument to the quoted_printable_encode function.
PHP 5.2 and older does not seem to have the function, so are not affected.
affected piece exists in our code in php53 on SLE11 SP2.
bugbot adjusting priority
Marcus, can you reproduce it with the testcase given in description of php bug? I can't or I haven't understood the real issue.
ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);
should allocate 1*(3*1000 + 3*(((3*1000)/75) + 1)) + 0 = 3123 bytes and *ret_length == 3117 at the end of the php_quot_print_encode() which is below allocated amount and *d is monotone.
For multiplier=100000 (second testcase of bug64879.phpt), it allocates 312003 bytes, which also suffice, because *ret_length == 311997 at the end of this function in this case.
Or have made a mistake somewhere?
Tested with php 5.3.25.
Here we are:
The commit referenced there appears to not be in 5.3 branch, which leads me to suspicion
I tend to believe we are not affected by this flaw then. 5.4 we have only in factory, which is fixed yet by upgrading to 5.4.16.
I suggest to close this as invalid.
I looked over it and I think you are correct.
The heap overflow problem was introduced by the additional linebreak handling introduced by the commit you mentioned.
The issue does not affect PHP 5.3 on SLE11 SP2 or SP3.
Just for the record, issue _can_ be reproduced with 5.4.15 as described in php bug.