php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #68706 explicit uninitalized pointer in mbstring
Submitted: 2015-01-01 05:50 UTC Modified: 2015-01-04 05:55 UTC
From: bugreports at internot dot info Assigned:
Status: Closed Package: mbstring related
PHP Version: master-Git-2015-01-01 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-01 05:50 UTC] bugreports at internot dot info 
Description:
------------
Hi,

In /ext/mbstring/mbstring.c:

3891        int state = 0;
3892        int crlf_state = -1;
3893        char *token;
[..]
3897        ps = str;
3898        icnt = str_len;


3912        while (icnt > 0) {
3913                switch (*ps) {
3914                        case ':':
3915                                if (crlf_state == 1) {
3916                                        token_pos++;
3917                                }
3918
3919                                if (state == 0 || state == 1) {
3920                                        fld_name = zend_string_init(token, token_pos, 0);


zend_string_init() is:


Zend/zend_string.h
131static zend_always_inline zend_string *zend_string_init(const char *str, size_t len, int persistent)
132{
133        zend_string *ret = zend_string_alloc(len, persistent);
134
135        memcpy(ret->val, str, len);
136        ret->val[len] = '\0';
137        return ret;
138}

so a null pointer is passed to memcpy on the src variable.


A quick look shows that a testcase could be made if the 'str' in _php_mbstr_parse_mail_headers() is passed with ':'.

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-01 05:59 UTC] bugreports at internot dot info 
"so a null pointer is passed to memcpy on the src variable."
should read
"so a uninitalized pointer is passed to memcpy on the src variable."
 [2015-01-01 06:38 UTC] bugreports at internot dot info 
Here's a reproducer:

<?php
ini_set('zend.multibyte', '1');
ini_set('mbstring.internal_encoding', 'big5');
$recipient = 'bugreports@internot.info';
$headers = ':';
$subject = ':Hello World!';
$message = 'https://internot.info/';
mb_send_mail($recipient, $subject, $message, $headers);


?>




 # ./php lol.php 
Segmentation fault
 [2015-01-04 05:55 UTC] stas@php.net 
This one is interesting since it looks like token_pos would be 0 there, but memcpy wants proper args even with zero length: http://stackoverflow.com/questions/5243012/is-it-guaranteed-to-be-safe-to-perform-memcpy0-0-0

So it still needs a fix. Since it's master only, no reason to hide it.
 [2015-01-04 05:56 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=599d7a3968cfaf0317adca52bfb0e73ba3e3f52a
Log: Fix bug #68706 - uninitalized pointer in mbstring
 [2015-01-04 05:56 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:40 UTC] davey@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=599d7a3968cfaf0317adca52bfb0e73ba3e3f52a
Log: Fix bug #68706 - uninitalized pointer in mbstring
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Sep 07 23:01:27 2024 UTC