-
-
[求助] size_t 在x64范围大小的问题
-
2017-4-26 21:11
3651
-
有个疑问,看下面
_______________________
(gdb) r
Starting program: /home/hackyzh/Desktop/php-7.1.4/sapi/cli/php -n poc.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, zif_deflate_add (execute_data=<optimized out>,
return_value=0x7fffffffadc0)
at /home/hackyzh/Desktop/php-7.1.4/ext/zlib/zlib.c:1153
1153 if (in_len <= 0 && flush_type != Z_FINISH) {
(gdb) n
1157 out_size = PHP_ZLIB_BUFFER_SIZE_GUESS(in_len);
(gdb) p in_len
$1 = 4231494864
(gdb) p/x in_len
$2 = 0xfc377cd0
(gdb) n
1158 out_size = (out_size < 64) ? 64 : out_size;
(gdb) p out_size
$3 = 4294967309
(gdb) p/x out_size
$4 = 0x10000000d
(gdb) n
1159 out = zend_string_alloc(out_size, 0);
上面的out_size按说应该溢出了啊,为啥还是这么大,难道是64位系统的缘故么。
_________________________
gdb-peda$ print l
$43 = 0x40000000 // 1024mb
5) This length "l" is then passed into zend_string_alloc as "4 * l + 2" which results in an integer overflow:
Temporary breakpoint 3, php_escape_shell_arg (str=0x7fffad000018 'A' <repeats 200 times>...) at /home/elaw/php-7.0.1/ext/standard/exec.c:348
348 cmd = zend_string_alloc(4 * l + 2, 0); /* worst case */
gdb-peda$ print 4* l + 2
$44 = 0x2 //Overflow
6) Stepping into zend_string_alloc to verify the integer overflow. Notice len=0x2:
zend_string_alloc (persistent=0x0, len=0x2) at /home/elaw/php-7.0.0/Zend/zend_string.h:121
121 zend_string *ret = (zend_string *)pemalloc(ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(len)), persistent);
这里他使用的也是x64系统,为啥会溢出,而我却没有,很奇怪。
——————————————————————————
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法