[v2.7] php: buffer overflow on bad DNS TXT records (CVE-2014-4049)
PHP heap-based buffer overflow in DNS TXT record parsing. `dlen` can be small but then the chunk length could exceed it and overrun the buffer.
An example site with this bug is berlin.polemb.net running this code:
$types = array(‘AAAA’ =>1, ‘A’ =>1);
$records = dns_get_record(“berlin.polemb.net”,
DNS_A | DNS_TXT | DNS_AAAA | DNS_CNAME,
);
var_dump($records);
Reference:
https://security-tracker.debian.org/tracker/CVE-2014-4049
CONFIRM: https://github.com/php/php-src/pull/690
COMMIT:
https://github.com/php/php-src/commit/4f73394fdd95d3165b4391e1b0dedd57fced8c3b
(from redmine: issue id 3070, created on 2014-06-20, closed on 2014-06-24)
- Relations:
- parent #3067 (closed)
- Changesets:
- Revision e75552b6 by Natanael Copa on 2014-06-23T16:14:51Z:
main/php: fix CVE-2014-4049
fixes #3070
(cherry picked from commit fec747b9906380f6b5bc0cb26a8f387014b81b72)