php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-20584: Information Leak of Memory

Browse Source 
The string added had uninitialized memory due to
php_read_stream_all_chunks() not moving the buffer position, resulting
in the same data always being overwritten instead of new data being
added to the end of the buffer.

Closes GH-20592.
This commit is contained in:
Niels Dossche
2025-11-25 23:11:38 +01:00
parent 292a7f73ba
commit 8fe7930533
3 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@@ -60,6 +60,7 @@ PHP NEWS
. Fix memory leak in array_diff() with custom type checks. (ndossche)
. Fixed bug GH-20583 (Stack overflow in http_build_query
via deep structures). (ndossche)
. Fixed bug GH-20584 (Information Leak of Memory). (ndossche)
- Tidy:
. Fixed bug GH-20374 (PHP with tidy and custom-tags). (ndossche)

1
ext/standard/image.c
View File

@@ -403,6 +403,7 @@ static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_
if (read_now < stream->chunk_size && read_total != length) {
return 0;
}
buffer += read_now;
} while (read_total < length);
return read_total;

39
ext/standard/tests/image/gh20584.phpt Normal file
View File

@@ -0,0 +1,39 @@
--TEST--
GH-20584 (Information Leak of Memory)
--CREDITS--
Nikita Sveshnikov (Positive Technologies)
--FILE--
<?php
// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
$file = __DIR__ . '/gh20584.jpg';
// Make APP1 large enough so it is read in multiple chunks
$chunk = 8192;
$tail = 123;
$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
$tail);
$app1Len = 2 + strlen($payload);
// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
"\x01\x11\x00";
$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
"\xFF\xD9";
file_put_contents($file, $jpeg);
// Read through a filter to enforce multiple reads
$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
$info = null;
@getimagesize($src, $info);
$exp = $payload;
$ret = $info['APP1'];
var_dump($ret === $exp);
?>
--CLEAN--
<?php
@unlink(__DIR__ . '/gh20584.jpg');
?>
--EXPECT--
bool(true)