heap buffer overflow ZipArchive

[chongwick]

Description

The following code:

<?php
$v_81750 = __FILE__;
$v_81751 = dirname($v_81750,);
$v_81752 = '/';
$v_81753 = $v_81751 . $v_81752;
$v_81754 = 'bug72374';
$v_81753 = $v_81753 . $v_81754;
$v_81756 = mkdir($v_81753,);
$v_81757 = '/some-foo.txt';
$v_81758 = $v_81753 . $v_81757;
$v_81759 = touch($v_81758,);
$v_81760 = '/some-bar.txt';
$v_81761 = $v_81753 . $v_81760;
$v_81792 = __FILE__;
$v_81793 = mime_content_type($v_81792,);
$v_81762 = touch($v_81793,);
$v_81763 = new ZipArchive();
$v_81764 = '/test.zip';
$v_81765 = $v_81753 . $v_81764;
$v_81766 = ZipArchive::CREATE;
$v_81767 = ZipArchive::OVERWRITE;
$v_81768 = $v_81766 | $v_81767;
$v_81769 = $v_81763->open($v_81765,$v_81768,);
$v_81770 = 0;
$v_81773 = '/some-';
$v_81774 = $v_81792 . $v_81773;
$v_81771 = array('remove_path' => $v_81774,);
$v_81775 = $v_81763->addGlob($v_81758,$v_81770,$v_81771,);

Resulted in this output:

==1511600==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000024808 at pc 0x00000061c746 bp 0x7ffcb4a52060 sp 0x7ffcb4a51808
READ of size 56 at 0x607000024808 thread T0
    #0 0x61c745 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61c745)
    #1 0x61cc3a in memcmp (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61cc3a)
    #2 0x490dcea in php_zip_add_from_pattern /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1747:37
    #3 0x490c221 in zim_ZipArchive_addGlob /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1814:2
    #4 0x5db4d8b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2119:4
    #5 0x5af3db3 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #6 0x5af633c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #7 0x6875509 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #8 0x505a31a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #9 0x505b458 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #10 0x688a41a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #11 0x68847ff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #12 0x15275938cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x15275938ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x6061f4 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6061f4)

0x607000024808 is located 0 bytes to the right of 72-byte region [0x6070000247c0,0x607000024808)
allocated by thread T0 here:
    #0 0x6810bd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6810bd)
    #1 0x56ce443 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3561:14
    #2 0x56ccba9 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2798:10
    #3 0x57269f8 in zend_string_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:167:36
    #4 0x5714d3a in zend_string_init /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:189:21
    #5 0x5720431 in add_next_index_string /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:2198:2
    #6 0x48f7f23 in php_zip_glob /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:671:3
    #7 0x490d311 in php_zip_add_from_pattern /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1724:11
    #8 0x490c221 in zim_ZipArchive_addGlob /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1814:2
    #9 0x5db4d8b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2119:4
    #10 0x5af3db3 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #11 0x5af633c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #12 0x6875509 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #13 0x505a31a in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #14 0x505b458 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #15 0x688a41a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #16 0x68847ff in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #17 0x15275938cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61c745) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c0e7fffc8b0: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fffc8c0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e7fffc8d0: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0e7fffc8e0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fffc8f0: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0e7fffc900: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1511600==ABORTING

USE_ZEND_ALLOC=0 php test.php

PHP Version

nightly

Operating System

20.04

[nielsdos]

Is this a duplicate of #19688 ?

[chongwick]

Ahh you're right. Sorry I missed @nielsdos.