Skip to content

ext/standard: fix out-of-bounds access in the ftp:// directory stream#22768

Closed
iliaal wants to merge 1 commit into
php:PHP-8.4from
iliaal:std-ss002-ftp-dirstream
Closed

ext/standard: fix out-of-bounds access in the ftp:// directory stream#22768
iliaal wants to merge 1 commit into
php:PHP-8.4from
iliaal:std-ss002-ftp-dirstream

Conversation

@iliaal

@iliaal iliaal commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

php_ftp_dirstream_read() sized the basename copy with MIN(sizeof, len - 1) and terminated at [tmp_len - 1]. An empty listing line gives a basename of length 1, so tmp_len is 0 and the terminator lands one byte before d_name; a slash-only line gives length 0, so len - 1 underflows to SIZE_MAX and memcpy reads 4096 bytes past the interned empty string. ASAN flags both. The same off-by-one truncated entry names that do not end in CRLF, which opendir-002 and opendir-004 had baked in as expected output.

Floor: PHP-8.4.

@iliaal
iliaal requested a review from bukka as a code owner July 16, 2026 16:39
php_ftp_dirstream_read() sized the basename copy with
MIN(sizeof(ent->d_name), ZSTR_LEN(basename) - 1) and wrote the terminator at
[tmp_len - 1]. An empty listing line leaves a basename of length 1, so
tmp_len is 0 and the NUL lands one byte before d_name; a slash-only line
leaves length 0, so the subtraction underflows to SIZE_MAX and memcpy() reads
4096 bytes past the interned empty string. The same off-by-one truncated
entry names that do not end in CRLF.

Closes phpGH-22768
@iliaal iliaal closed this in b750803 Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants