Skip to content

Fix GH-16411: gmp_export() can cause overflow #16418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Fix GH-16411: gmp_export() can cause overflow #16418

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4000ee7
Fix GH-16411: gmp_export() can cause overflow
cmb69 Oct 13, 2024
5f4e65c
Support test on 32bit too
cmb69 Oct 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions ext/gmp/gmp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1002,8 +1002,14 @@ ZEND_FUNCTION(gmp_export)
if (mpz_sgn(gmpnumber) == 0) {
RETVAL_EMPTY_STRING();
} else {
size_t bits_per_word = size * 8;
size_t count = (mpz_sizeinbase(gmpnumber, 2) + bits_per_word - 1) / bits_per_word;
ZEND_ASSERT(size > 0);
size_t size_in_base_2 = mpz_sizeinbase(gmpnumber, 2);
if (size > ZEND_LONG_MAX / 4 || size_in_base_2 > SIZE_MAX - (size_t) size * 8 + 1) {
zend_argument_value_error(2, "is too large for argument #1 ($num)");
RETURN_THROWS();
}
size_t bits_per_word = (size_t) size * 8;
size_t count = (size_in_base_2 + bits_per_word - 1) / bits_per_word;

zend_string *out_string = zend_string_safe_alloc(count, size, 0, 0);
mpz_export(ZSTR_VAL(out_string), NULL, order, size, endian, 0, gmpnumber);
Expand Down
11 changes: 11 additions & 0 deletions ext/gmp/tests/gh16411.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
--TEST--
GH-16411 (gmp_export() can cause overflow)
--EXTENSIONS--
gmp
--FILE--
<?php
gmp_export(-9223372036854775808, 9223372036854775807, -9223372036854775808);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like we don't validate the $option argument properly?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, we're only checking for the relevant flags:

php-src/ext/gmp/gmp.c

Lines 929 to 958 in 79c71c9

switch (options & (GMP_LSW_FIRST | GMP_MSW_FIRST)) {
case GMP_LSW_FIRST:
*order = -1;
break;
case GMP_MSW_FIRST:
case 0: /* default */
*order = 1;
break;
default:
/* options argument is in third position */
zend_argument_value_error(3, "cannot use multiple word order options");
return false;
}
switch (options & (GMP_LITTLE_ENDIAN | GMP_BIG_ENDIAN | GMP_NATIVE_ENDIAN)) {
case GMP_LITTLE_ENDIAN:
*endian = -1;
break;
case GMP_BIG_ENDIAN:
*endian = 1;
break;
case GMP_NATIVE_ENDIAN:
case 0: /* default */
*endian = 0;
break;
default:
/* options argument is in third position */
zend_argument_value_error(3, "cannot use multiple endian options");
return false;
}

So basically $options % 32. I think this okay (wouldn't want to touch it for a stable release), but could be improved for master (reject >= 32).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, improving this for master is what I had in mind, I was just surprised that large int wasn't caught by the option checking.

?>
--EXPECTF--
Fatal error: Uncaught ValueError: gmp_export(): Argument #2 ($word_size) is too large for argument #1 ($num) in %s:%d
%A
Loading