php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71606 Segmentation fault mb_strcut with HTML-ENTITIES encoding
Submitted: 2016-02-16 07:48 UTC Modified: 2017-07-23 10:17 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: imbolk at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 5.6.18 OS: Linux
Private report: No CVE-ID:
 [2016-02-16 07:48 UTC] imbolk at gmail dot com
Description:
------------
Segmentation fault in code mb_strcut+mb_list_encodings

Test script:
---------------
echo mb_strcut('"', 0, 0, 'HTML-ENTITIES');
var_dump(mb_list_encodings());

Expected result:
----------------
list of encodings

Actual result:
--------------
Segmentation fault

Patches

fix-71606 (last revision 2016-07-30 22:41 UTC) by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-30 11:39 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2016-07-30 11:39 UTC] cmb@php.net
Confirmed: <https://3v4l.org/mkXHU>. Seems to affect PHP 5 only.
 [2016-07-30 22:41 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-71606
Revision:   1469918484
URL:        https://bugs.php.net/patch-display.php?bug=71606&patch=fix-71606&revision=1469918484
 [2016-07-30 22:41 UTC] cmb@php.net
-Type: Bug +Type: Security -Assigned To: cmb +Assigned To: -Private report: No +Private report: Yes
 [2016-07-30 22:41 UTC] cmb@php.net
The segfault[1] is caused by double frees in mbfl_strcut()[2]
where filters are copied to backups. However, the HTML decoding
filter uses the `opaque` member of mbfl_convert_filter[3] as
buffer, so this buffer is later freed multiple times, because
there is no proper copy constructor[4] defined.

The attached patch solves this issue for PHP-5.6 (merging upward
till master doesn't conflict). A respective fix should also be
applied to <https://github.com/moriyoshi/libmbfl>.

This issue might be exploitable, so I'm switching to sec bug.

[1] With a debug build invalid frees are reported by ZendMM.
[2] <https://github.com/php/php-src/blob/PHP-7.0.8/ext/mbstring/libmbfl/mbfl/mbfilter.c#L1716>
[3] <https://github.com/php/php-src/blob/PHP-7.0.8/ext/mbstring/libmbfl/mbfl/mbfl_convert.h#L56>
[4] <https://github.com/php/php-src/blob/PHP-7.0.8/ext/mbstring/libmbfl/mbfl/mbfl_convert.h#L66>
 [2016-08-07 23:33 UTC] stas@php.net
-Assigned To: +Assigned To: hirokawa
 [2016-11-27 14:20 UTC] kalle@php.net
-Assigned To: hirokawa +Assigned To: cmb
 [2016-11-27 14:20 UTC] kalle@php.net
Re-assign since hirokawa doesn't have security permissions
 [2016-11-27 22:59 UTC] stas@php.net
I don't see how this can be exploitable, could you explain?
 [2016-11-28 10:14 UTC] cmb@php.net
It seems that *every* time mb_strcut() is called with $encoding =
'HTML-ENTITIES', there will be double-frees. I can't assess the
severity of these double-frees (might be harmless in all cases).
 [2017-06-21 08:37 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2017-07-23 10:11 UTC] nikic@php.net
-Type: Security +Type: Bug
 [2017-07-23 10:17 UTC] nikic@php.net
-Summary: Segmentation fault mb_strcut + mb_list_encodings +Summary: Segmentation fault mb_strcut with HTML-ENTITIES encoding
 [2017-07-23 10:23 UTC] nikic@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=php-src.git;a=commit;h=418da85f1528172fb9df376c17f0fd79faf4aebf
Log: Fix #71606: Segmentation fault mb_strcut with HTML-ENTITIES
 [2017-07-23 10:23 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC