Unrated severityNVD Advisory· Published Apr 27, 2020· Updated Sep 17, 2024
OOB Read in urldecode()
CVE-2020-7067
Description
In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
Affected products
1Patches
3a516aa0d2c75Update versions for PHP 7.2.30
2 files changed · +3 −3
configure.ac+1 −1 modified@@ -108,7 +108,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=7 PHP_MINOR_VERSION=2 PHP_RELEASE_VERSION=30 -PHP_EXTRA_VERSION="-dev" +PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
main/php_version.h+2 −2 modified@@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 2 #define PHP_RELEASE_VERSION 30 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "7.2.30-dev" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "7.2.30" #define PHP_VERSION_ID 70230
ab4d1893fa76Update versions for PHP 7.4.5
2 files changed · +3 −3
configure.ac+1 −1 modified@@ -17,7 +17,7 @@ dnl Basic autoconf initialization, generation of config.nice. dnl ---------------------------------------------------------------------------- AC_PREREQ([2.68]) -AC_INIT([PHP],[7.4.5-dev],[https://bugs.php.net],[php],[https://www.php.net]) +AC_INIT([PHP],[7.4.5],[https://bugs.php.net],[php],[https://www.php.net]) AC_CONFIG_SRCDIR([main/php_version.h]) AC_CONFIG_AUX_DIR([build]) AC_PRESERVE_HELP_ORDER
main/php_version.h+2 −2 modified@@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 4 #define PHP_RELEASE_VERSION 5 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "7.4.5-dev" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "7.4.5" #define PHP_VERSION_ID 70405
2c0d56cc150aFix bug #79465 - use unsigneds as indexes.
2 files changed · +3 −2
ext/standard/url.c+2 −2 modified@@ -547,7 +547,7 @@ PHPAPI size_t php_url_decode(char *str, size_t len) #ifndef CHARSET_EBCDIC *dest = (char) php_htoi(data + 1); #else - *dest = os_toebcdic[(char) php_htoi(data + 1)]; + *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; #endif data += 2; len -= 2; @@ -643,7 +643,7 @@ PHPAPI size_t php_raw_url_decode(char *str, size_t len) #ifndef CHARSET_EBCDIC *dest = (char) php_htoi(data + 1); #else - *dest = os_toebcdic[(char) php_htoi(data + 1)]; + *dest = os_toebcdic[(unsigned char) php_htoi(data + 1)]; #endif data += 2; len -= 2;
NEWS+1 −0 modified@@ -36,6 +36,7 @@ PHP NEWS - Standard: . Fixed bug #79330 (shell_exec() silently truncates after a null byte). (stas) + . Fixed bug #79465 (OOB Read in urldecode()). (stas) . Fixed bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline). (Christian Schneider)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.debian.org/security/2020/dsa-4717mitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4719mitrevendor-advisoryx_refsource_DEBIAN
- bugs.php.net/bug.phpmitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20200504-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuApr2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuoct2020.htmlmitrex_refsource_MISC
- www.tenable.com/security/tns-2021-14mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.