php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71606 Segmentation fault mb_strcut with HTML-ENTITIES encoding
Submitted: 2016-02-16 07:48 UTC Modified: 2017-07-23 10:17 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: imbolk at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 5.6.18 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: imbolk at gmail dot com
New email:
PHP Version: OS:

 

 [2016-02-16 07:48 UTC] imbolk at gmail dot com 
Description:
------------
Segmentation fault in code mb_strcut+mb_list_encodings

Test script:
---------------
echo mb_strcut('"', 0, 0, 'HTML-ENTITIES');
var_dump(mb_list_encodings());

Expected result:
----------------
list of encodings

Actual result:
--------------
Segmentation fault

Patches

fix-71606 (last revision 2016-07-30 22:41 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-30 11:39 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2016-07-30 11:39 UTC] cmb@php.net 
Confirmed: <https://3v4l.org/mkXHU>. Seems to affect PHP 5 only.
 [2016-07-30 22:41 UTC] cmb@php.net 
The following patch has been added/updated:

Patch Name: fix-71606
Revision:   1469918484
URL:        https://bugs.php.net/patch-display.php?bug=71606&patch=fix-71606&revision=1469918484
 [2016-07-30 22:41 UTC] cmb@php.net
-Type: Bug +Type: Security -Assigned To: cmb +Assigned To: -Private report: No +Private report: Yes
 [2016-07-30 22:41 UTC] cmb@php.net 
The segfault[1] is caused by double frees in mbfl_strcut()[2]
where filters are copied to backups. However, the HTML decoding
filter uses the `opaque` member of mbfl_convert_filter[3] as
buffer, so this buffer is later freed multiple times, because
there is no proper copy constructor[4] defined.

The attached patch solves this issue for PHP-5.6 (merging upward
till master doesn't conflict). A respective fix should also be
applied to <https://github.com/moriyoshi/libmbfl>.

This issue might be exploitable, so I'm switching to sec bug.

[1] With a debug build invalid frees are reported by ZendMM.
[2] <https://github.com/php/php-src/blob/PHP-7.0.8/ext/mbstring/libmbfl/mbfl/mbfilter.c#L1716>
[3] <https://github.com/php/php-src/blob/PHP-7.0.8/ext/mbstring/libmbfl/mbfl/mbfl_convert.h#L56>
[4] <https://github.com/php/php-src/blob/PHP-7.0.8/ext/mbstring/libmbfl/mbfl/mbfl_convert.h#L66>
 [2016-08-07 23:33 UTC] stas@php.net
-Assigned To: +Assigned To: hirokawa
 [2016-11-27 14:20 UTC] kalle@php.net
-Assigned To: hirokawa +Assigned To: cmb
 [2016-11-27 14:20 UTC] kalle@php.net 
Re-assign since hirokawa doesn't have security permissions
 [2016-11-27 22:59 UTC] stas@php.net 
I don't see how this can be exploitable, could you explain?
 [2016-11-28 10:14 UTC] cmb@php.net 
It seems that *every* time mb_strcut() is called with $encoding =
'HTML-ENTITIES', there will be double-frees. I can't assess the
severity of these double-frees (might be harmless in all cases).
 [2017-06-21 08:37 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2017-07-23 10:11 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2017-07-23 10:17 UTC] nikic@php.net
-Summary: Segmentation fault mb_strcut + mb_list_encodings +Summary: Segmentation fault mb_strcut with HTML-ENTITIES encoding
 [2017-07-23 10:23 UTC] nikic@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=418da85f1528172fb9df376c17f0fd79faf4aebf
Log: Fix #71606: Segmentation fault mb_strcut with HTML-ENTITIES
 [2017-07-23 10:23 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC