Signed integer overflow in metaphone()

Kurzinfo

Veroeffentlicht: 2026-05-07 12:54 UTC Importiert: 2026-05-14 18:44 UTC Quelle-ID: php_sec uid_hash: 8b4ba9aea18c5c4dfb88b75b4c5fcdd6a9f06ad247ad41f8aa33d306f238cfd1

PHP Security (php/php-src GHSA)

Inhalt

Researcher: Aleksey Solovev (Positive Technologies)

The PHP standard library provides the function metaphone() (php-src/ext/standard/metaphone.c). This function is used for searching and matching words based on their phonetic sound.

This function declares the variable signed int w_idx, keeping track of the current position into the string passed to metaphone().

https://github.com/php/php-src/blob/9498bc3ee131616344370f59d4f1a6bb46375750/ext/standard/metaphone.c#L171

The maximum value the signed int type can hold is (usually) 2_147_483_647. In C, exceeding this value for signed types is undefined behavior. Frequently, the value will wrap around and result in the value -2_147_483_648, but this behavior is not guaranteed.

If the string passed to metaphone() has a length of >2_147_483_647, a signed integer overflow can occur, resulting in undefined behavior. Accessing the current word after an overflow can result in a segmentation fault or access unrelated memory.

php

$ ./php cli.php
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2977930==ERROR: AddressSanitizer: SEGV on unknown address 0x74748ba00018 (pc 0x6051a40f8a68 bp 0x7ffca9b12420 sp 0x7ffca9b123d0 T0)
==2977930==The signal is caused by a READ memory access.
    #0 0x6051a40f8a68 in metaphone /home/administrator/php/php-src/ext/standard/metaphone.c:192
    #1 0x6051a40f8433 in zif_metaphone /home/administrator/php/php-src/ext/standard/metaphone.c:43
    #2 0x6051a4552725 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/administrator/php/php-src/Zend/zend_vm_execute.h:1355
    #3 0x6051a46b7f4a in execute_ex /home/administrator/php/php-src/Zend/zend_vm_execute.h:116436
    #4 0x6051a46cd123 in zend_execute /home/administrator/php/php-src/Zend/zend_vm_execute.h:121924
    #5 0x6051a4831146 in zend_execute_script /home/administrator/php/php-src/Zend/zend.c:1981
    #6 0x6051a42653ef in php_execute_script_ex /home/administrator/php/php-src/main/main.c:2645
    #7 0x6051a42657ff in php_execute_script /home/administrator/php/php-src/main/main.c:2685
    #8 0x6051a4836cb6 in do_cli /home/administrator/php/php-src/sapi/cli/php_cli.c:951
    #9 0x6051a4839283 in main /home/administrator/php/php-src/sapi/cli/php_cli.c:1362
    #10 0x74758f42a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x74758f42a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #12 0x6051a3406d04 in _start (/home/administrator/php/php-src/sapi/cli/php+0x606d04) (BuildId: 675b273c6c01d12f08faaf607fb51c198e4db43b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/administrator/php/php-src/ext/standard/metaphone.c:192 in metaphone
==2977930==ABORTING

Verknuepfte CVEs

CVE-ID	Severity (CVE.org)	CVSS (CVE.org)	EPSS	EPSS-%	Veroeffentlicht (CVE.org)
CVE-2026-7568	-	-	-	-

Quellen-Details

Bezeichnung	Name	Kategorie	Tags	Zielgruppe	Sprache	Feed-URL
PHP Security (php/php-src GHSA)	php_sec	vendor_advisory	php, runtime	-	de	https://github.com/php/php-src/security/advisories

Zurueck zur Eintrags-Liste