CVE-2019-3557: Fix OOB read in readRecord on BZ2Files/OutputFiles

Summary: These File subclasses return -1 on read errors which is not what is expected for readImpl--this made File::readRecord behave unusually if the read fails, causing it to read (size_t)(-1) bytes from its stream buffer; which, unsurprisingly produces a out-of-bounds heap read. Reviewed By: leikahing, jjgriego Differential Revision: D13659395 fbshipit-source-id: 359ed6e3ff9f9cf49b752b666f51c4e0b3ce4b8a
facebook · Jan 14, 2019 · 6e4dd9e · 6e4dd9e
1 parent 50a1c8c
commit 6e4dd9e
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/hphp/runtime/base/output-file.cpp b/hphp/runtime/base/output-file.cpp
@@ -66,7 +66,7 @@ bool OutputFile::closeImpl() {
 
 int64_t OutputFile::readImpl(char* /*buffer*/, int64_t /*length*/) {
   raise_warning("cannot read from a php://output stream");
-  return -1;
+  return 0;
 }
 
 int OutputFile::getc() {

diff --git a/hphp/runtime/ext/bz2/bz2-file.cpp b/hphp/runtime/ext/bz2/bz2-file.cpp
@@ -95,7 +95,7 @@ int64_t BZ2File::readImpl(char * buf, int64_t length) {
   if (len <= 0) {
     setEof(true);
     if (len < 0) {
-      return -1;
+      return 0;
     }
   }
   return len;

diff --git a/hphp/test/slow/oob_read_file.php b/hphp/test/slow/oob_read_file.php
@@ -0,0 +1,12 @@
+<?hh
+
+<<__EntryPoint>>
+function main() {
+    $a = bzopen("/dev/null", "w");
+    $tmp = stream_get_line($a, 1, "1");
+    var_dump($tmp);
+
+    $a = fopen("php://output", "w");
+    $tmp = stream_get_line($a, 1, "1");
+    var_dump($tmp);
+}
diff --git a/hphp/test/slow/oob_read_file.php.expectf b/hphp/test/slow/oob_read_file.php.expectf
@@ -0,0 +1,4 @@
+string(0) ""
+
+Warning: cannot read from a php://output stream in %s on line %d
+string(0) ""