CVE-2021-21708 | Zend by Perforce

CVE-2021-21708 php: Use after free due to php_filter_float() failing

Publication Date	2022-02-17
Severity	Moderate
Type	Denial of Service
Affected PHP Versions	5.6.0 - 5.6.40 7.1.0 - 7.1.33 7.2.0 - 7.2.34 7.3.0 - 7.3.32 7.4.0 - 7.4.27 8.0.0 - 8.0.15 8.1.0 - 8.1.2
Fixed Product Versions	ZendPHP 5.6 ZendPHP 7.1 ZendPHP 7.2 ZendPHP 7.3 ZendPHP 7.4 ZendPHP 8.0 ZendPHP 8.1 ZendServer 9.1.13 ZendServer 2019.1.0 ZendServer 2021.1.2

CVE Details

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result in crashes, and potentially in overwrite of other memory chunks and RCE.

Recommendations

Consider using a different mechanism for validating a float.
As an example, the following function accomplishes equivalent validation:

```php
function validateFloat(mixed $value, float $min, float $max, bool $filterNullOnFailure = false): null|bool|float
{
    if (! is_float($value) && ! is_numeric($value)) {
        return $filterNullOnFailure ? null : false;
    }

    $value = (float) $value;

    if ($min > $value || $max < $value) {
        return $filterNullOnFailure ? null : false;
    }

    return $value;
}
```

Alternately, update to PHP 8.1.3, 8.0.16, 7.4.28, 7.3.33, ZendPHP 7.2.34.8, ZendPHP 7.1.33.12, or ZendPHP 5.6.40.15.

< View all CVEs