php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76319 mb_strtolower with default encoding causes BufferOverflow and termination
Submitted: 2018-05-09 18:44 UTC Modified: 2018-05-25 10:17 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: ion dot bazan at gmail dot com Assigned: nikic (profile)
Status: Closed Package: mbstring related
PHP Version: master-Git-2018-05-09 (Git) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ion dot bazan at gmail dot com
New email:
PHP Version: OS:

 

 [2018-05-09 18:44 UTC] ion dot bazan at gmail dot com 
Description:
------------
Calling mb_strtolower without specifying the encoding may cause unexpected buffer overflow while on PHP 7.2 it works properly.

Test script:
---------------
var_dump(mb_strtolower(urldecode('a%A1%C0b')));

Expected result:
----------------
string(4) "a??b"

Actual result:
--------------
*** buffer overflow detected ***: php terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7f3bc3f2f29f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f3bc3fca83c]
/lib/x86_64-linux-gnu/libc.so.6(+0x10d710)[0x7f3bc3fc9710]
php[0x6f8f6d]
php[0x6e8031]
php(php_unicode_convert_case+0xbd)[0x6f917d]
php[0x6f26c3]
php(execute_ex+0x8e25)[0x9d15e5]
php(zend_call_function+0x7de)[0x92533e]
php[0x76fdba]
php(execute_ex+0x8e25)[0x9d15e5]
php(zend_execute+0x1d6)[0x9d26c6]
php(zend_execute_scripts+0xe7)[0x9366f7]
php(php_execute_script+0x3a6)[0x8c7116]
php[0x9d4cda]
php[0x45e8d0]
--- CUT ---

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-05-09 18:46 UTC] ion dot bazan at gmail dot com
-Package: *General Issues +Package: mbstring related
 [2018-05-09 18:46 UTC] ion dot bazan at gmail dot com 
Change category
 [2018-05-09 18:50 UTC] ion dot bazan at gmail dot com 
Calling:

mb_strtolower(urldecode('a%A1%C0b'), 'ASCII')

works properly though.
 [2018-05-09 19:00 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2018-05-09 19:00 UTC] nikic@php.net 
<?php
var_dump(mb_strtolower("a\xA1\x0B", 'UTF-8'));

UTF-8 is the default encoding and \xA1\x0B is invalid UTF-8. Clearly something is going wrong with handling invalid UTF-8.
 [2018-05-09 19:10 UTC] nikic@php.net
-Status: Verified +Status: Analyzed
 [2018-05-09 19:10 UTC] nikic@php.net 
We're getting 0x780000a1 as the character, the simple casemapping leaves it at 0x780000a1, but the full casemapping assigns special meaning to results that have a non-zero top byte. We'll have to add an explicit check for out of range characters before calling the casemapping functions.
 [2018-05-24 21:27 UTC] cmb@php.net 
BTW: doesn't the implementation of full case mapping[1] deserve a
prominent entry in UPGRADING?

[1] <http://git.php.net/?p=php-src.git;a=commit;h=582a65b06f3de125887cab02d5c561168fcf94bc>
 [2018-05-25 10:10 UTC] nikic@php.net 
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d63f4dec1d180f2a9533d8b7b6b5c445917aee2
Log: Fixed bug #76319
 [2018-05-25 10:10 UTC] nikic@php.net
-Status: Analyzed +Status: Closed
 [2018-05-25 10:17 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2018-05-25 10:17 UTC] nikic@php.net 
@cmb: Good point, I added some notes in https://github.com/php/php-src/commit/95c9d9d2d7f696e5e9cd05692195b4e4071e0d40.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 30 07:01:31 2025 UTC