PHP’s php_mysqlnd_rset_header_read() trusts network data which can result in a heap based buffer overflow.
Affected is PHP 5.3 <= 5.3.2
The vulnerability was discovered by Stefan Esser while auditing the new Mysqlnd PHP extension.
The new Mysqlnd extension handles communication with mysql servers and implements the mysql protocol in the file mysqlnd_wireprotocol.c. While auditing this file several vulnerabilities were discovered. One of them is inside the php_mysqlnd_rset_header_read() function.
packet->info_or_local_file = mnd_emalloc(len + 1);
memcpy(packet->info_or_local_file, p, len);
packet->info_or_local_file[len] = '\0';
packet->info_or_local_file_len = len;
The code above reads the field length from the network buffer and then copies the message into a newly allocated message buffer. This copy operation will result in a heap based buffer oveflow if php_mysqlnd_net_field_length() returns -1. In this case only 0 bytes of memory are allocated, but up to 4 GB are copied.
Proof of concept, exploit or instructions to reproduce
Month of PHP Security does not provide a POC for this vulnerability.
This vulnerability can be fixed by correctly checking the network supplied data.