php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #68834 Off-by-one out-of-bounds write
Submitted: 2015-01-15 05:36 UTC Modified: 2015-03-20 05:49 UTC
From: bugreports at internot dot info Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: master-Git-2015-01-15 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-15 05:36 UTC] bugreports at internot dot info 
Description:
------------
Hi,

In /ext/mbstring/oniguruma/regcomp.c:

4237  for (i = to->len, p = s; p < end && i < OPT_EXACT_MAXLEN; ) {
4238    len = enclen(enc, p);
4239    if (i + len > OPT_EXACT_MAXLEN) break;
4240    for (j = 0; j < len && p < end; j++)
4241      to->s[i++] = *p++;

On L4237, 'i' may be 23 on the true branch.
Then on line 4241, 'i' is bumped up to 24, which goes past the buffer for that array.


Thanks,

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-19 05:18 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2015-01-19 05:18 UTC] stas@php.net 
Not sure where you see the problem - while i can be 24 there, since i++ returns pre-increment value, to->s is never accessed with parameter 24, since the value of 24 is assumed only after to->s[i++] is evaluated. Could you explain where do you see the problem?
 [2015-01-20 17:47 UTC] bugreports at internot dot info
-Status: Feedback +Status: Closed
 [2015-01-20 17:47 UTC] bugreports at internot dot info 
Misread for ++i.

Closing.
 [2015-03-20 05:49 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 19:01:28 2024 UTC