Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:920
Return-Path: <sascha@schumann.cx>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 71358 invoked from network); 15 Apr 2003 01:47:26 -0000
Received: from unknown (HELO milton.schell.de) (217.160.72.35)
  by pb1.pair.com with SMTP; 15 Apr 2003 01:47:26 -0000
Received: (qmail 15761 invoked by uid 501); 15 Apr 2003 01:47:25 -0000
Received: from unknown (HELO eco.foo) (80.143.20.242)
  by kdserv.de with SMTP; 15 Apr 2003 01:47:25 -0000
Received: from localhost (localhost [127.0.0.1])
	by eco.foo (Postfix) with ESMTP id E5CAA3BA4D
	for <internals@lists.php.net>; Tue, 15 Apr 2003 03:47:24 +0200 (CEST)
Date: Tue, 15 Apr 2003 03:47:24 +0200 (CEST)
X-X-Sender: sas@eco.foo
To: internals@lists.php.net
Message-ID: <Pine.LNX.4.53.0304150331160.637@eco.foo>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: HEADS UP: emalloc issue
From: sascha@schumann.cx (Sascha Schumann)

    Hi,

    if your extension determines the amount of memory to allocate
    by using a multiplication such as this

        void *p = emalloc(sizeof(struct foo) * nr_entries);

    then it is likely that your code is vulnerable to an integer
    overflow.  This happens, when the product of the
    multiplication cannot be represented by the integral type
    "long".  This can enable an attacker to overwrite data on the
    heap, possibly leading to a full compromise of the server.

    To avert such a scenario, we have introduced a safe_emalloc
    function.  You use this API member as follows:

        void *p = safe_emalloc(sizeof(struct foo), nr_entries, 0);

    The function calculates the product of the first two operands
    and finally adds the third operand to that product.  During
    all steps, the function ensures that no integer overflow
    takes place.  If it detects an overflow, the script execution
    will be halted.  Otherwise, it returns the requested amount
    of memory.

    Please audit your source code! Look at each and every
    invocation of emalloc and ensure that instances are properly
    replaced with safe_emalloc calls.

    If your extension code should work independently of the PHP
    version, we suggest placing the following code after
    #include "php.h":

        #ifndef safe_emalloc
        # define safe_emalloc(a,b,c) emalloc((a)*(b)+(c))
        #endif

    This won't protect you from integer overflows.  However, it
    enables you to write code which automatically works savely
    when compiled in the right context.

    - Sascha