VYPR
← All advisories
High severity7.3NVD Advisory· Published Jan 19, 2016· Updated May 6, 2026

CVE-2016-1904

CVE-2016-1904

Description

Integer overflow in PHP escapeshell functions leads to heap buffer overflow, enabling denial of service or code execution via long strings.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in PHP escapeshell functions leads to heap buffer overflow, enabling denial of service or code execution via long strings.

Vulnerability

The vulnerability resides in ext/standard/exec.c in PHP 7.x versions prior to 7.0.2. The functions php_escape_shell_cmd and php_escape_shell_arg compute buffer sizes using integer arithmetic without overflow checks. For example, php_escape_shell_arg allocates 4 * l + 2 bytes, where l is the input string length [2][4]. When l is large (e.g., 1 GB), this calculation overflows, resulting in a small allocation followed by a heap-based buffer overflow when the escaped string is written [2]. The issue affects PHP 7.0.0 and 7.0.1 [1].

Exploitation

An attacker needs to supply a long string (e.g., by passing it to escapeshellarg or escapeshellcmd). The attack is triggerable when PHP's memory limit is set sufficiently high (above ~1024 MB), as the input string must be large enough to cause the integer overflow [2]. The bug report provides a proof-of-concept that writes controlled data beyond the allocated buffer [2]. No authentication is required if the attacker can control input to these functions, which are commonly used in web applications for shell escaping.

Impact

Successful exploitation results in a heap-based buffer overflow, which can lead to denial of service by corrupting memory, and potentially arbitrary code execution depending on the heap layout [2][3]. The impact is classified as high severity with a CVSS v3 score of 7.3. The attacker gains the ability to modify memory beyond the buffer, which may allow writing user-controlled data to arbitrary locations, leading to compromise of the PHP process.

Mitigation

The fix is included in PHP 7.0.2 [1]. The patch [4] replaces zend_string_alloc with zend_string_safe_alloc to properly detect integer overflows. Users should upgrade to PHP 7.0.2 or later. For those unable to upgrade, limiting memory limit to lower values (e.g., below 1024 MB) prevents the triggerability of the overflow, but this is not recommended as a complete fix [2]. No workaround is available besides upgrading.

References
  1. PHP: PHP 7 ChangeLog
  2. Heap BufferOver Flow in escapeshell functions
  3. security - [CVE Request] Multiple PHP issues
  4. Patch for Heap Buffer Overflow in EscapeShell · php/php-src@2871c70

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • PHP/PHP3 versions
    cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*
    • (no CPE)range: >=7.0.0, <7.0.2

Patches

1
2871c70efaaa

Patch for Heap Buffer Overflow in EscapeShell

https://github.com/php/php-srclibnexJan 3, 2016via body-scan
commit
1 file changed · +2 2
  • ext/standard/exec.c+2 2 modified
    @@ -253,7 +253,7 @@ PHPAPI zend_string *php_escape_shell_cmd(char *str)
 #endif
 
 
-	cmd = zend_string_alloc(2 * l, 0);
+	cmd = zend_string_safe_alloc(2, l, 0, 0);
 
 	for (x = 0, y = 0; x < l; x++) {
 		int mb_len = php_mblen(str + x, (l - x));
@@ -345,7 +345,7 @@ PHPAPI zend_string *php_escape_shell_arg(char *str)
 	size_t estimate = (4 * l) + 3;
 
 
-	cmd = zend_string_alloc(4 * l + 2, 0); /* worst case */
+	cmd = zend_string_safe_alloc(4, l, 2, 0); /* worst case */
 
 #ifdef PHP_WIN32
 	ZSTR_VAL(cmd)[y++] = '"';

Vulnerability mechanics

Root cause

"Integer overflows in memory allocation functions allow for heap-based buffer overflows."

Attack vector

Remote attackers can trigger this vulnerability by providing a long string to the `php_escape_shell_cmd` or `php_escape_shell_arg` functions. This input causes integer overflows during memory allocation, leading to a heap-based buffer overflow. The vulnerability is present in PHP 7.x before version 7.0.2 [ref_id=1].

Affected code

The vulnerability exists in the `ext/standard/exec.c` file within the `php_escape_shell_cmd` and `php_escape_shell_arg` functions [patch_id=4410417]. These functions are responsible for escaping shell metacharacters and arguments, respectively.

What the fix does

The patch replaces `zend_string_alloc` with `zend_string_safe_alloc` in both `php_escape_shell_cmd` and `php_escape_shell_arg` functions [patch_id=4410417]. `zend_string_safe_alloc` performs checks to prevent integer overflows when calculating the size of the memory to be allocated. This prevents the heap-based buffer overflow by ensuring that the allocated buffer is of a safe size.

Preconditions

  • inputA long string input to `php_escape_shell_cmd` or `php_escape_shell_arg`.

Reproduction

https://bugs.php.net/bug.php?id=71270

Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.