Fix GH-10715: phpdbg heap buffer overflow -- by misuse of the option "--run"

Fixes GH-10715 When a string starting with a NUL character is passed to phpdbg_vprint(), the vasprintf() will return that 0 characters have been printed. This causes msglen == 0. When phpdbg_process_print() is called with a message of length 0, the -1 to check for '\n' will perform an out of bounds read. Since nothing is printed anyway for msglen == 0, it seems best to just skip the printing routine for this case. Closes GH-10720.
2024-09-21 09:57:23 +00:00 · 2023-02-27 19:44:42 +01:00 · 2023-02-27 19:44:42 +01:00 · 0f21cbc57c
commit 0f21cbc57c
parent 44e5c04e55
3 changed files with 8 additions and 1 deletions
--- a/3
+++ b/3
@ -61,6 +61,9 @@ PHP                                                                        NEWS
  . Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
    (Michael Voříšek)

+- PHPDBG:
+  . Fixed bug GH-10715 (heap buffer overflow on --run option misuse). (nielsdos)
+
 - PGSQL:
  . Fix GH-10672 (pg_lo_open segfaults in the strict_types mode). (girgias)

--- a/sapi/phpdbg/phpdbg_out.c
+++ b/sapi/phpdbg/phpdbg_out.c
@ -143,7 +143,11 @@ PHPDBG_API int phpdbg_vprint(int type, int fd, const char *strfmt, va_list args)
 		return msglen;
 	}

-	len = phpdbg_process_print(fd, type, msg, msglen);
+	if (UNEXPECTED(msglen == 0)) {
+		len = 0;
+	} else {
+		len = phpdbg_process_print(fd, type, msg, msglen);
+	}

 	if (msg) {
 		free(msg);
--- a/sapi/phpdbg/tests/gh10715.phpt
+++ b/sapi/phpdbg/tests/gh10715.phpt