php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77418 Heap overflow in utf32be_mbc_to_code
Submitted: 2019-01-07 01:22 UTC Modified: 2019-02-22 22:08 UTC
From: hugh at allthethings dot co dot nz Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9023
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hugh at allthethings dot co dot nz
New email:
PHP Version: OS:

 

 [2019-01-07 01:22 UTC] hugh at allthethings dot co dot nz 
Description:
------------
The function utf32be_mbc_to_code assumes a buffer that contains 4 more characters in it (for a valid UTF-32 character). However, when a unterminated multibyte is passed to the regex match then the buffer will overflow.

Reproduced on 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0 and master.

Patch available at https://gist.github.com/hughdavenport/3db8c2b9f92765c84196b387c32faaea

Test script:
---------------
php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));'


Expected result:
----------------
no crash

Actual result:
--------------
$ ../src/php-src/sapi/cli/php -r 'mb_regex_encoding("UTF-32");var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));'
=================================================================
==27697==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000061d8 at pc 0x000000a0980f bp 0x7fffae9f0f60 sp 0x7fffae9f0f58
READ of size 1 at 0x6060000061d8 thread T0
    #0 0xa0980e in utf32be_mbc_to_code /home/hugh/src/php-src/ext/mbstring/oniguruma/src/utf32_be.c:70:70
    #1 0x993369 in match_at /home/hugh/src/php-src/ext/mbstring/oniguruma/src/regexec.c:3067:15
    #2 0x99ea2d in onig_search_with_param /home/hugh/src/php-src/ext/mbstring/oniguruma/src/regexec.c:4855:7
    #3 0x99c8e6 in onig_search /home/hugh/src/php-src/ext/mbstring/oniguruma/src/regexec.c:4614:7
    #4 0xae1a3c in zif_mb_split /home/hugh/src/php-src/ext/mbstring/php_mbregex.c:1265:9
    #5 0x1480525 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/hugh/src/php-src/Zend/zend_vm_execute.h:694:2
    #6 0x1270cfd in execute_ex /home/hugh/src/php-src/Zend/zend_vm_execute.h:55012:7
    #7 0x12716d6 in zend_execute /home/hugh/src/php-src/Zend/zend_vm_execute.h:60595:2
    #8 0x1083690 in zend_eval_stringl /home/hugh/src/php-src/Zend/zend_execute_API.c:1063:4
    #9 0x1083f1a in zend_eval_stringl_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1104:11
    #10 0x1083f1a in zend_eval_string_ex /home/hugh/src/php-src/Zend/zend_execute_API.c:1115
    #11 0x15b2127 in do_cli /home/hugh/src/php-src/sapi/cli/php_cli.c:1023:8
    #12 0x15aef3e in main /home/hugh/src/php-src/sapi/cli/php_cli.c:1384:18
    #13 0x7f79623c4b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x43bfe9 in _start (/home/hugh/src/php-src/sapi/cli/php+0x43bfe9)

0x6060000061d8 is located 0 bytes to the right of 56-byte region [0x6060000061a0,0x6060000061d8)
allocated by thread T0 here:
    #0 0x4f1640 in malloc (/home/hugh/src/php-src/sapi/cli/php+0x4f1640)
    #1 0xfd4a7c in __zend_malloc /home/hugh/src/php-src/Zend/zend_alloc.c:2930:14
    #2 0xfdec4c in zval_make_interned_string /home/hugh/src/php-src/Zend/zend_compile.c:478:16
    #3 0xfdec4c in zend_insert_literal /home/hugh/src/php-src/Zend/zend_compile.c:490
    #4 0xfdec4c in zend_add_literal /home/hugh/src/php-src/Zend/zend_compile.c:511
    #5 0xfdec4c in zend_emit_op /home/hugh/src/php-src/Zend/zend_compile.c:1988

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hugh/src/php-src/ext/mbstring/oniguruma/src/utf32_be.c:70:70 in utf32be_mbc_to_code
Shadow bytes around the buggy address:
  0x0c0c7fff8be0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8bf0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8c00: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8c10: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
  0x0c0c7fff8c20: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c7fff8c30: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0c7fff8c40: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8c50: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27697==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-07 01:37 UTC] stas@php.net 
OnigCodePoint is unsigned long, so converting NULL to it is not right. But I think we could probably just return 0 there.
 [2019-01-07 01:42 UTC] hugh at allthethings dot co dot nz 
Yeh wasn't too sure on that as wasn't clear what a good error code would be. I've got a crash on UTF16 as well, I'll do a patch with 0 instead of NULL for that one.
 [2019-01-07 01:44 UTC] stas@php.net 
this should fix it: https://gist.github.com/smalyshev/2b4a3c7d838e81f45f813090fe4db5ad

I'll add tests a bit later for the full patch
 [2019-01-07 01:56 UTC] stas@php.net 
Related To: Bug #77419
 [2019-01-07 07:35 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2019-01-07 08:10 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
 [2019-01-07 08:10 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-01-07 08:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
 [2019-01-07 08:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d6c59eeea88a3e9d7039cb4fed5126ef704593a
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
 [2019-01-07 13:17 UTC] cmb@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b6fe458ef9ac1372b60c3d3810b0358e2e20840d
Log: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
 [2019-02-22 22:08 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-9023
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC