php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #78559 Heap buffer overflow in mb_eregi
Submitted: 2019-09-18 10:48 UTC Modified: 2019-09-24 04:50 UTC
From: nikic@php.net Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.3.9 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2019-09-18 10:48 UTC] nikic@php.net 
Description:
------------
Against libonig 2.9.3 the test script gives:

=================================================================
==17768==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000023727 at pc 0x00000184bd62 bp 0x7ffda9f2f1d0 sp 0x7ffda9f2f1c8
READ of size 1 at 0x603000023727 thread T0
    #0 0x184bd61 in str_lower_case_match /home/nikic/libonig/src/regexec.c:4017:11
    #1 0x184bd61 in slow_search_ic /home/nikic/libonig/src/regexec.c:4040:9
    #2 0x184bd61 in forward_search_range /home/nikic/libonig/src/regexec.c:4355:9
    #3 0x18487df in onig_search_with_param /home/nikic/libonig/src/regexec.c:4778:17
    #4 0x1847554 in onig_search /home/nikic/libonig/src/regexec.c:4574:7
    #5 0xa99ad0 in _php_mb_onig_search /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:878:8
    #6 0xa99ad0 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:936:6
    #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2
    #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7
    #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2
    #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4
    #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14
    #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5
    #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18
    #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x447139 in _start (/home/nikic/php-src-fuzz/sapi/cli/php+0x447139)

0x603000023727 is located 0 bytes to the right of 23-byte region [0x603000023710,0x603000023727)
allocated by thread T0 here:
    #0 0x4bf03d in malloc (/home/nikic/php-src-fuzz/sapi/cli/php+0x4bf03d)
    #1 0x17f44c0 in set_optimize_exact /home/nikic/libonig/src/regcomp.c:5687:25
    #2 0x17f44c0 in set_optimize_info_from_tree /home/nikic/libonig/src/regcomp.c:5800:11
    #3 0x17f44c0 in onig_compile /home/nikic/libonig/src/regcomp.c:6194:7
    #4 0x1817d6e in onig_new /home/nikic/libonig/src/regcomp.c:6356:7
    #5 0xaa018d in php_mbregex_compile_pattern /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:467:19
    #6 0xa99a48 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:927:7
    #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2
    #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7
    #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2
    #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4
    #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14
    #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5
    #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18
    #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Test script:
---------------
<?php
$str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01";
$str = hex2bin($str);
var_dump(mb_eregi($str, $str));

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-18 12:11 UTC] nikic@php.net 
It looks like this is already fixed with current oniguruma master.
 [2019-09-18 13:09 UTC] cmb@php.net 
Is it fixed with
<https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b>?
 [2019-09-20 17:05 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-09-20 17:05 UTC] cmb@php.net 
Complete fix including PHPT at
<https://gist.github.com/cmb69/6c00045e545c7ca6db3916dd6fc9a44d>.

Only PHP-7.3 is affected.

Could you please submit this to the sec repo, Stas?
 [2019-09-24 04:51 UTC] stas@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8f949eba8083e34d181c30bcf11aaeef2496bb97
Log: Fix #78559: Heap buffer overflow in mb_eregi
 [2019-09-24 04:51 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-09-24 08:28 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=90a77d87d4b63db29b1051a784e91e7d368a07e1
Log: Fix #78559: Heap buffer overflow in mb_eregi
 [2019-09-26 20:23 UTC] axisselalumultitalenta at gmail dot com 
The following pull request has been associated:

Patch Name: Convert login, logout and statistics pages to templates
On GitHub:  https://github.com/php/web-bugs/pull/83
Patch:      https://github.com/php/web-bugs/pull/83.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC