PHP Heap Buffer Overflow Vulnerability in array_merge()

A heap buffer overflow vulnerability has been identified in PHP versions 8.1.* prior to 8.1.34, 8.2.* prior to 8.2.30, 8.3.* prior to 8.3.29, 8.4.* prior to 8.4.16, and 8.5.* prior to 8.5.1. The vulnerability arises in the array_merge() function when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE. This is due to an integer overflow in the precomputation of element counts, leading to memory corruption or crashes, and affecting the integrity and availability of the server.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to memory corruption and potential crashes. In a memory-safe language, this would only result in a denial-of-service, but in PHP, it allows for heap corruption, with all the associated risks.

Reproduction

The vulnerability can be reproduced by creating a large packed array that exceeds the 32-bit integer limit or the HT_MAX_SIZE limit, and then passing this array to the array_merge() function. This can be done by, for example, generating an array with a range of values that, when merged multiple times, exceeds the allowed limits. Alternatively, large sets of JSON data can be crafted to create a similar effect when decoded and merged using array_merge().

Remediation

Users can upgrade to PHP versions 8.1.34, 8.2.30, 8.3.29, 8.4.16, or 8.5.1 to address this vulnerability.