php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68706 explicit uninitalized pointer in mbstring
Submitted: 2015-01-01 05:50 UTC Modified: 2015-01-04 05:55 UTC
From: bugreports at internot dot info Assigned:
Status: Closed Package: mbstring related
PHP Version: master-Git-2015-01-01 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-01 05:50 UTC] bugreports at internot dot info
Description:
------------
Hi,

In /ext/mbstring/mbstring.c:

3891        int state = 0;
3892        int crlf_state = -1;
3893        char *token;
[..]
3897        ps = str;
3898        icnt = str_len;


3912        while (icnt > 0) {
3913                switch (*ps) {
3914                        case ':':
3915                                if (crlf_state == 1) {
3916                                        token_pos++;
3917                                }
3918
3919                                if (state == 0 || state == 1) {
3920                                        fld_name = zend_string_init(token, token_pos, 0);


zend_string_init() is:


Zend/zend_string.h
131static zend_always_inline zend_string *zend_string_init(const char *str, size_t len, int persistent)
132{
133        zend_string *ret = zend_string_alloc(len, persistent);
134
135        memcpy(ret->val, str, len);
136        ret->val[len] = '\0';
137        return ret;
138}

so a null pointer is passed to memcpy on the src variable.


A quick look shows that a testcase could be made if the 'str' in _php_mbstr_parse_mail_headers() is passed with ':'.




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-01 05:59 UTC] bugreports at internot dot info
"so a null pointer is passed to memcpy on the src variable."
should read
"so a uninitalized pointer is passed to memcpy on the src variable."
 [2015-01-01 06:38 UTC] bugreports at internot dot info
Here's a reproducer:

<?php
ini_set('zend.multibyte', '1');
ini_set('mbstring.internal_encoding', 'big5');
$recipient = 'bugreports@internot.info';
$headers = ':';
$subject = ':Hello World!';
$message = 'https://internot.info/';
mb_send_mail($recipient, $subject, $message, $headers);


?>




 # ./php lol.php 
Segmentation fault
 [2015-01-04 05:55 UTC] stas@php.net
This one is interesting since it looks like token_pos would be 0 there, but memcpy wants proper args even with zero length: http://stackoverflow.com/questions/5243012/is-it-guaranteed-to-be-safe-to-perform-memcpy0-0-0

So it still needs a fix. Since it's master only, no reason to hide it.
 [2015-01-04 05:56 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=599d7a3968cfaf0317adca52bfb0e73ba3e3f52a
Log: Fix bug #68706 - uninitalized pointer in mbstring
 [2015-01-04 05:56 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=599d7a3968cfaf0317adca52bfb0e73ba3e3f52a
Log: Fix bug #68706 - uninitalized pointer in mbstring
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC