php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77381 heap buffer overflow in multibyte match_at
Submitted: 2018-12-30 21:44 UTC Modified: 2019-02-22 22:09 UTC
From: hugh at allthethings dot co dot nz Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9023
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hugh at allthethings dot co dot nz
New email:
PHP Version: OS:

 

 [2018-12-30 21:44 UTC] hugh at allthethings dot co dot nz 
Description:
------------
Caused by an incomplete multibyte char at end of $pattern in mb_split and mb_ereg. Leads to memory corruption and/or leakage.

Reproduced on 5.6.39, 7.0.33, and 7.1.25, not reproduced on 7.2, 7.3 and master.

Patch to fix available at https://gist.github.com/hughdavenport/3cb40fcf956085de44bf4443c25c58fe. Fixed by checking the length properly in compile_length_string_node.



Test script:
---------------
php -r 'var_dump(mb_ereg("000||0\xfa","0"));'


Expected result:
----------------
no crash

Actual result:
--------------
21:38 $ ~/src/php-src/sapi/cli/php -r 'var_dump(mb_ereg("000||0\xfa","0"));'
=================================================================
==32334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001c478 at pc 0x000000851e3e bp 0x7ffd64536450 sp 0x7ffd64536448
READ of size 1 at 0x60300001c478 thread T0
    #0 0x851e3d in match_at /home/hugh/src/php-src/ext/mbstring/oniguruma/regexec.c:1315:13
    #1 0x85424e in onig_search /home/hugh/src/php-src/ext/mbstring/oniguruma/regexec.c:3638:7
    #2 0x984949 in _php_mb_regex_ereg_exec /home/hugh/src/php-src/ext/mbstring/php_mbregex.c:753:6
    #3 0x12b1e72 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/hugh/src/php-src/Zend/zend_vm_execute.h:675:2
    #4 0x111aa0d in execute_ex /home/hugh/src/php-src/Zend/zend_vm_execute.h:432:7
    #5 0x111b9eb in zend_execute /home/hugh/src/php-src/Zend/zend_vm_execute.h:474:2
    #6 0xf1d950 in zend_eval_stringl /home/hugh/src/php-src/Zend/zend_execute_API.c:1120:4
    #7 0xf1e48a in zend_eval_stringl_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1161:11
    #8 0xf1e48a in zend_eval_string_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1172
    #9 0x13efbe8 in do_cli /home/hugh/src/php-src/sapi/cli/php_cli.c:1024:8
    #10 0x13ecba5 in main /home/hugh/src/php-src/sapi/cli/php_cli.c:1381:18
    #11 0x7f7d890f0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x438cc9 in _start (/home/hugh/src/php-src/sapi/cli/php+0x438cc9)

0x60300001c478 is located 8 bytes to the left of 32-byte region [0x60300001c480,0x60300001c4a0)
allocated by thread T0 here:
    #0 0x4ee320 in malloc (/home/hugh/src/php-src/sapi/cli/php+0x4ee320)
    #1 0xe53fdc in __zend_malloc /home/hugh/src/php-src/Zend/zend_alloc.c:2838:14

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hugh/src/php-src/ext/mbstring/oniguruma/regexec.c:1315:13 in match_at
Shadow bytes around the buggy address:
  0x0c067fffb830: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffb840: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x0c067fffb850: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fffb860: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fffb870: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd
=>0x0c067fffb880: fd fd fa fa 00 00 00 00 fa fa 00 00 00 04 fa[fa]
  0x0c067fffb890: 00 00 00 00 fa fa 00 00 00 00 fa fa fa fa fa fa
  0x0c067fffb8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fffb8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32334==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:43 UTC] stas@php.net 
I've made a common fix for four mbstring regex issues. It's in security repo as 6eb73547f231336d09e42d161ea6756b88832d46 and in https://gist.github.com/smalyshev/d5b79a07341ffdd77dc88860724bd2f5. Please verify.
 [2019-01-02 08:43 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-01-02 21:16 UTC] hugh at allthethings dot co dot nz 
Verified on 5.6, 7.0 and 7.1
 [2019-01-07 08:17 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 08:17 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2019-01-07 08:18 UTC] stas@php.net 
Related To: Bug #77382
 [2019-02-22 22:09 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Feb 02 12:01:30 2025 UTC