php: buffer overflow on bad DNS TXT records (CVE-2014-4049)
PHP heap-based buffer overflow in DNS TXT record parsing. `dlen` can be small but then the chunk length could exceed it and overrun the buffer.
An example site with this bug is berlin.polemb.net running this code:
$types = array(‘AAAA’ =>1, ‘A’ =>1);
$records = dns_get_record(“berlin.polemb.net”,
DNS_A | DNS_TXT | DNS_AAAA | DNS_CNAME,
);
var_dump($records);
Reference:
https://security-tracker.debian.org/tracker/CVE-2014-4049
CONFIRM: https://github.com/php/php-src/pull/690
COMMIT:
https://github.com/php/php-src/commit/4f73394fdd95d3165b4391e1b0dedd57fced8c3b
(from redmine: issue id 3067, created on 2014-06-20, closed on 2014-06-24)
- Relations:
- child #3068 (closed)
- child #3069 (closed)
- child #3070 (closed)
- child #3071 (closed)