Hi! We have had a bunch of bugs recently which are essentially one and the same issue: PHP 5.6 allows only int-sized strings, but many functions don't check the size of the string they produce. This can lead to int overflows inside php and also can break other libraries that also assume string sizes are ints and this can cause all kinds of weirdness. However, these bugs are very unlikely to manifest in production setting for one simple reason - they require PHP to run with no memory limit, and I haven't seen many setups that run with no memory limit. I'm not going to go into specifics here, since some of the issues are still not fixed, but you can talk to me privately if you need examples or browse changelogs of later 5.6 releases.
A twin brother of this is in 7.0 where there are just integer overflows in string size calculations. Usually that requires huge strings as inputs, so also requires running with no memory limit. These bugs are now treated as security issues, due to the fact that in theory somebody might be running with no memory limit and get huge string as an input from user. However, it was questioned that we indeed should treat them so, due to the fact that encountering them in production is unlikely, and due to the fact that they require patching in many places, and merging those fixes out-of-band creates significant potential for bugs. I'd like to hear feedback on this, especially - though definitely not only! - from RMs and distro people. There are some libraries (ICU, I'm looking at you!) which have much lower limits and fixed buffers inside and unfortunately they don't enforce or check those limits, they just kind of assume everybody is nice. For those, I think we'd have to treat issues stemming from that as security issues if they look exploitable. Also, some libraries have int overflows independent of PHP (also needing huge strings to trigger) - not sure what to do with those. Would be glad to hear some discussion on this. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
