Bug 1451700 (CVE-2017-8923) - CVE-2017-8923 php: Overflowing the length of string causes crash
Summary: CVE-2017-8923 php: Overflowing the length of string causes crash
Alias: CVE-2017-8923
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1451701
Blocks: 1451702 2020490
TreeView+ depends on / blocked
Reported: 2017-05-17 10:25 UTC by Adam Mariš
Modified: 2021-11-19 15:45 UTC (History)
7 users (show)

Fixed In Version: php 7.4.24, php 8.0.11
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability in PHP can lead to a buffer overflow when constructing extremely long strings with the ".=" operator. In unusual circumstances, this could be used by an attacker to cause an application to crash or possibly have other consequences.
Clone Of:
Last Closed: 2017-07-05 05:34:05 UTC

Attachments (Terms of Use)

Description Adam Mariš 2017-05-17 10:25:02 UTC
The zend_string_extend function in Zend/zend_string.h in PHP through 7.1.5 does not prevent changes to string objects that result in a negative length, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact by leveraging a script's use of .= with a long string.

Upstream bug:


Comment 1 Adam Mariš 2017-05-17 10:25:23 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1451701]

Comment 2 Huzaifa S. Sidhpurwala 2017-07-05 05:34:05 UTC
This seems to be a flaw in handling very large strings. It is unlikely that this flaw will be triggered by malicious user input, therefore this has very limited security impact.

Comment 3 Tomas Hoger 2021-11-16 22:53:44 UTC
This issue got fixed upstream via the following upstream bug:


Upstream commit:


The fix was applied in versions 7.4.24 and 8.0.11:


The fix depends on the following fix:


Note that upstream does not seem to be planning to apply this fix for PHP 7.3, as they do not consider the issue to be a security flaw:


That classification may be based on the fact that this problem can only be triggered when running with memory_limit higher than 2GB or no memory limit, while the default limit is 128MB:


However, it may also be based on the fact that upstream bug report #73122 only mentions strlen() function returning an incorrect value without triggering any crash as noted in the upstream bug report #74577.

To trigger the overflow, a script has to attempt to concatenate a string with more than 2^31 characters to itself.  Being able to trigger that in a non-malicious script seems unlikely.

Another mitigating factor is that the 2^31 limit only applies to 32-bit systems.  On 64-bit systems, string would have to be 2^63 characters long, which would not be possible with current hardware.  Only 64-bit builds of PHP are provided for Red Hat Enterprise Linux 7 and later.

Note You need to log in before you can comment on or make changes to this bug.