CVE-2021-21708 php: Use after free due to php_filter_float() failing

Publication Date2022-02-17
SeverityModerate
TypeDenial of Service
Affected PHP Versions
  • 5.6.0 - 5.6.40
  • 7.1.0 - 7.1.33
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.32
  • 7.4.0 - 7.4.27
  • 8.0.0 - 8.0.15
  • 8.1.0 - 8.1.2
  • 8.1.0 - 8.1.
Fixed Product Versions
  • ZendPHP 5.6
  • ZendPHP 7.1
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendServer 9.1.13
  • ZendServer 2019.1.0
  • ZendServer 2021.1.2

CVE Details

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result in crashes, and potentially in overwrite of other memory chunks and RCE.

Recommendations

Consider using a different mechanism for validating a float.
As an example, the following function accomplishes equivalent validation:

```php
function validateFloat(mixed $value, float $min, float $max, bool $filterNullOnFailure = false): null|bool|float
{
    if (! is_float($value) && ! is_numeric($value)) {
        return $filterNullOnFailure ? null : false;
    }

    $value = (float) $value;

    if ($min > $value || $max < $value) {
        return $filterNullOnFailure ? null : false;
    }

    return $value;
}
```

Alternately, update to PHP 8.1.3, 8.0.16, 7.4.28, 7.3.33, ZendPHP 7.2.34.8, ZendPHP 7.1.33.12, or ZendPHP 5.6.40.15.