php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68706 explicit uninitalized pointer in mbstring
Submitted: 2015-01-01 05:50 UTC Modified: 2015-01-04 05:55 UTC
From: bugreports at internot dot info Assigned:
Status: Closed Package: mbstring related
PHP Version: master-Git-2015-01-01 (Git) OS: Linux Ubuntu 14.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugreports at internot dot info
New email:
PHP Version: OS:

 

 [2015-01-01 05:50 UTC] bugreports at internot dot info
Description:
------------
Hi,

In /ext/mbstring/mbstring.c:

3891        int state = 0;
3892        int crlf_state = -1;
3893        char *token;
[..]
3897        ps = str;
3898        icnt = str_len;


3912        while (icnt > 0) {
3913                switch (*ps) {
3914                        case ':':
3915                                if (crlf_state == 1) {
3916                                        token_pos++;
3917                                }
3918
3919                                if (state == 0 || state == 1) {
3920                                        fld_name = zend_string_init(token, token_pos, 0);


zend_string_init() is:


Zend/zend_string.h
131static zend_always_inline zend_string *zend_string_init(const char *str, size_t len, int persistent)
132{
133        zend_string *ret = zend_string_alloc(len, persistent);
134
135        memcpy(ret->val, str, len);
136        ret->val[len] = '\0';
137        return ret;
138}

so a null pointer is passed to memcpy on the src variable.


A quick look shows that a testcase could be made if the 'str' in _php_mbstr_parse_mail_headers() is passed with ':'.




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-01-01 05:59 UTC] bugreports at internot dot info
"so a null pointer is passed to memcpy on the src variable."
should read
"so a uninitalized pointer is passed to memcpy on the src variable."
 [2015-01-01 06:38 UTC] bugreports at internot dot info
Here's a reproducer:

<?php
ini_set('zend.multibyte', '1');
ini_set('mbstring.internal_encoding', 'big5');
$recipient = 'bugreports@internot.info';
$headers = ':';
$subject = ':Hello World!';
$message = 'https://internot.info/';
mb_send_mail($recipient, $subject, $message, $headers);


?>




 # ./php lol.php 
Segmentation fault
 [2015-01-04 05:55 UTC] stas@php.net
This one is interesting since it looks like token_pos would be 0 there, but memcpy wants proper args even with zero length: http://stackoverflow.com/questions/5243012/is-it-guaranteed-to-be-safe-to-perform-memcpy0-0-0

So it still needs a fix. Since it's master only, no reason to hide it.
 [2015-01-04 05:56 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=599d7a3968cfaf0317adca52bfb0e73ba3e3f52a
Log: Fix bug #68706 - uninitalized pointer in mbstring
 [2015-01-04 05:56 UTC] stas@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:40 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=599d7a3968cfaf0317adca52bfb0e73ba3e3f52a
Log: Fix bug #68706 - uninitalized pointer in mbstring
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Feb 29 17:01:31 2024 UTC