Skip to content

Remove pattern overflow in zip addGlob() #19688

New issue
New issue
Open
#19689
Open
Remove pattern overflow in zip addGlob()#19688
#19689
Assignees
nielsdos
Labels
BugExtension: zipStatus: Verified
@chongwick

Description

@chongwick
chongwick
opened on Sep 3, 2025

Description

The following code:

<?php
$v_61879 = __FILE__;
$v_61880 = dirname($v_61879,);
$v_61881 = '/';
$v_61882 = $v_61880 . $v_61881;
$v_61883 = 'bug72374';
$v_61882 = $v_61882 . $v_61883;
$v_61885 = mkdir($v_61882,);
$v_61886 = '/some-foo.txt';
$v_61887 = $v_61882 . $v_61886;
$v_61888 = touch($v_61887,);
$v_61889 = '/some-bar.txt';
$v_61890 = $v_61882 . $v_61889;
$v_61891 = touch($v_61890,);
$v_61892 = new ZipArchive();
$v_61893 = '/test.zip';
$v_61894 = $v_61882 . $v_61893;
$v_61895 = ZipArchive::CREATE;
$v_61896 = ZipArchive::OVERWRITE;
$v_61897 = $v_61895 | $v_61896;
$v_61898 = $v_61892->open($v_61894,$v_61897,);
$v_61899 = 0;
$v_61921 = 'http://www.google.com/';
$v_61903 = $v_61882 . $v_61921;
$v_61900 = array('remove_path' => $v_61903,);
$v_61904 = $v_61892->addGlob($v_61887,$v_61899,$v_61900,);
$v_61905 = 0;
$v_61910 = $v_61892->addGlob($v_61887,$v_61905,$v_61921,);
$v_61911 = 0;
$v_61912 = array('remove_path' => $v_61882,);
$v_61914 = $v_61892->addGlob($v_61890,$v_61911,$v_61912,);
$v_61922 = curl_init($v_61921,);
$v_61916 = 'foo.txt';
$v_61917 = 'some-foo.txt';
$v_61918 = 'some-bar.txt';
$v_61915 = array(0 => $v_61916,1 => $v_61917,2 => $v_61918,);
$v_61919 = verify_entries($v_61922,$v_61915,);
$v_61920 = $v_61892->close();

Resulted in this output:

=================================================================
==1871522==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000024418 at pc 0x00000061c746 bp 0x7ffcba1974e0 sp 0x7ffcba196c88
READ of size 53 at 0x607000024418 thread T0
    #0 0x61c745 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61c745)
    #1 0x61cc3a in memcmp (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61cc3a)
    #2 0x490d77a in php_zip_add_from_pattern /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1747:37
    #3 0x490bcb1 in zim_ZipArchive_addGlob /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1814:2
    #4 0x5db44bb in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2119:4
    #5 0x5af34e3 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #6 0x5af5a6c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #7 0x6874b19 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #8 0x5059daa in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #9 0x505aee8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #10 0x6889a2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #11 0x6883e0f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #12 0x15122094ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #13 0x15122094ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #14 0x6061f4 in _start (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6061f4)

0x607000024418 is located 0 bytes to the right of 72-byte region [0x6070000243d0,0x607000024418)
allocated by thread T0 here:
    #0 0x6810bd in malloc (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x6810bd)
    #1 0x56cdb73 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3561:14
    #2 0x56cc2d9 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2798:10
    #3 0x5726128 in zend_string_alloc /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:167:36
    #4 0x571446a in zend_string_init /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:189:21
    #5 0x571fb61 in add_next_index_string /home/w023dtc/nightly_php/php-src/Zend/zend_API.c:2198:2
    #6 0x48f79b3 in php_zip_glob /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:671:3
    #7 0x490cda1 in php_zip_add_from_pattern /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1724:11
    #8 0x490bcb1 in zim_ZipArchive_addGlob /home/w023dtc/nightly_php/php-src/ext/zip/php_zip.c:1814:2
    #9 0x5db44bb in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2119:4
    #10 0x5af34e3 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #11 0x5af5a6c in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #12 0x6874b19 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #13 0x5059daa in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #14 0x505aee8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #15 0x6889a2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #16 0x6883e0f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #17 0x15122094ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/w023dtc/nightly_php/php-src/sapi/cli/php+0x61c745) in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)
Shadow bytes around the buggy address:
  0x0c0e7fffc830: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c0e7fffc840: fa fa 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0e7fffc850: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fffc860: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0e7fffc870: 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fffc880: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fffc8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1871522==ABORTING

USE_ZEND_ALLOC=0 php test.php

PHP Version

nightly

Operating System

20.04

Metadata

Metadata

Assignees

Labels

BugExtension: zipStatus: Verified

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions