PHP :: Sec Bug #77418 :: Heap overflow in utf32be_mbc_to

Sec Bug #77418	Heap overflow in utf32be_mbc_to_code
Submitted:	2019-01-07 01:22 UTC	Modified:	2019-02-22 22:08 UTC
From:	hugh at allthethings dot co dot nz	Assigned:	stas (profile)
Status:	Closed	Package:	mbstring related
PHP Version:	5.6.39	OS:	Linux
Private report:	No	CVE-ID:	2019-9023

View Developer Edit

[2019-01-07 01:22 UTC] hugh at allthethings dot co dot nz

Description:
------------
The function utf32be_mbc_to_code assumes a buffer that contains 4 more characters in it (for a valid UTF-32 character). However, when a unterminated multibyte is passed to the regex match then the buffer will overflow.

Reproduced on 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0 and master.

Patch available at https://gist.github.com/hughdavenport/3db8c2b9f92765c84196b387c32faaea

Test script:
---------------
php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));'


Expected result:
----------------
no crash

Actual result:
--------------
$ ../src/php-src/sapi/cli/php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));'
=================================================================
==27697==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000061d8 at pc 0x000000a0980f bp 0x7fffae9f0f60 sp 0x7fffae9f0f58
READ of size 1 at 0x6060000061d8 thread T0
    #0 0xa0980e in utf32be_mbc_to_code /home/hugh/src/php-src/ext/mbstring/oniguruma/src/utf32_be.c:70:70
    #1 0x993369 in match_at /home/hugh/src/php-src/ext/mbstring/oniguruma/src/regexec.c:3067:15
    #2 0x99ea2d in onig_search_with_param /home/hugh/src/php-src/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #3 0x99c8e6 in onig_search /home/hugh/src/php-src/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #4 0xae1a3c in zif_mb_split /home/hugh/src/php-src/ext/mbstring/php_mbregex.c:1265:9
    #5 0x1480525 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/hugh/src/php-src/Zend/zend_vm_execute.h:694:2
    #6 0x1270cfd in execute_ex /home/hugh/src/php-src/Zend/zend_vm_execute.h:55012:7
    #7 0x12716d6 in zend_execute /home/hugh/src/php-src/Zend/zend_vm_execute.h:60595:2
    #8 0x1083690 in zend_eval_stringl /home/hugh/src/php-src/Zend/zend_execute_API.c:1063:4
    #9 0x1083f1a in zend_eval_stringl_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1104:11
    #10 0x1083f1a in zend_eval_string_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1115
    #11 0x15b2127 in do_cli /home/hugh/src/php-src/sapi/cli/php_cli.c:1023:8
    #12 0x15aef3e in main /home/hugh/src/php-src/sapi/cli/php_cli.c:1384:18
    #13 0x7f79623c4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x43bfe9 in _start (/home/hugh/src/php-src/sapi/cli/php+0x43bfe9)

0x6060000061d8 is located 0 bytes to the right of 56-byte region [0x6060000061a0,0x6060000061d8)
allocated by thread T0 here:
    #0 0x4f1640 in malloc (/home/hugh/src/php-src/sapi/cli/php+0x4f1640)
    #1 0xfd4a7c in __zend_malloc /home/hugh/src/php-src/Zend/zend_alloc.c:2930:14
    #2 0xfdec4c in zval_make_interned_string /home/hugh/src/php-src/Zend/zend_compile.c:478:16
    #3 0xfdec4c in zend_insert_literal /home/hugh/src/php-src/Zend/zend_compile.c:490
    #4 0xfdec4c in zend_add_literal /home/hugh/src/php-src/Zend/zend_compile.c:511
    #5 0xfdec4c in zend_emit_op /home/hugh/src/php-src/Zend/zend_compile.c:1988

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hugh/src/php-src/ext/mbstring/oniguruma/src/utf32_be.c:70:70 in utf32be_mbc_to_code
Shadow bytes around the buggy address:
  0x0c0c7fff8be0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8bf0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8c00: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8c10: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0c7fff8c20: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c7fff8c30: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0c7fff8c40: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8c50: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27697==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-01-07 01:37 UTC] stas@php.net

OnigCodePoint is unsigned long, so converting NULL to it is not right. But I think we could probably just return 0 there.

[2019-01-07 01:42 UTC] hugh at allthethings dot co dot nz

Yeh wasn't too sure on that as wasn't clear what a good error code would be. I've got a crash on UTF16 as well, I'll do a patch with 0 instead of NULL for that one.

[2019-01-07 01:44 UTC] stas@php.net

this should fix it: https://gist.github.com/smalyshev/2b4a3c7d838e81f45f813090fe4db5ad

I'll add tests a bit later for the full patch

[2019-01-07 01:56 UTC] stas@php.net

Related To: Bug #77419

[2019-01-07 07:35 UTC] stas@php.net

-Assigned To: +Assigned To: stas

[2019-01-07 08:10 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code

[2019-01-07 08:10 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2019-01-07 08:19 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code

[2019-01-07 08:20 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code

[2019-01-07 08:20 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code

[2019-01-07 08:21 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code

[2019-01-07 13:17 UTC] cmb@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b6fe458ef9ac1372b60c3d3810b0358e2e20840d
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code

[2019-02-22 22:08 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2019-9023

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Feb 21 16:01:29 2025 UTC