php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76319 mb_strtolower with default encoding causes BufferOverflow and termination
Submitted: 2018-05-09 18:44 UTC Modified: 2018-05-25 10:17 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: ion dot bazan at gmail dot com Assigned: nikic (profile)
Status: Closed Package: mbstring related
PHP Version: master-Git-2018-05-09 (Git) OS: Linux
Private report: No CVE-ID: None
 [2018-05-09 18:44 UTC] ion dot bazan at gmail dot com
Description:
------------
Calling mb_strtolower without specifying the encoding may cause unexpected buffer overflow while on PHP 7.2 it works properly.

Test script:
---------------
var_dump(mb_strtolower(urldecode('a%A1%C0b')));

Expected result:
----------------
string(4) "a??b"

Actual result:
--------------
*** buffer overflow detected ***: php terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7329f)[0x7f3bc3f2f29f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f3bc3fca83c]
/lib/x86_64-linux-gnu/libc.so.6(+0x10d710)[0x7f3bc3fc9710]
php[0x6f8f6d]
php[0x6e8031]
php(php_unicode_convert_case+0xbd)[0x6f917d]
php[0x6f26c3]
php(execute_ex+0x8e25)[0x9d15e5]
php(zend_call_function+0x7de)[0x92533e]
php[0x76fdba]
php(execute_ex+0x8e25)[0x9d15e5]
php(zend_execute+0x1d6)[0x9d26c6]
php(zend_execute_scripts+0xe7)[0x9366f7]
php(php_execute_script+0x3a6)[0x8c7116]
php[0x9d4cda]
php[0x45e8d0]
--- CUT ---

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-05-09 18:46 UTC] ion dot bazan at gmail dot com
-Package: *General Issues +Package: mbstring related
 [2018-05-09 18:46 UTC] ion dot bazan at gmail dot com
Change category
 [2018-05-09 18:50 UTC] ion dot bazan at gmail dot com
Calling:

mb_strtolower(urldecode('a%A1%C0b'), 'ASCII')

works properly though.
 [2018-05-09 19:00 UTC] nikic@php.net
-Status: Open +Status: Verified
 [2018-05-09 19:00 UTC] nikic@php.net
<?php
var_dump(mb_strtolower("a\xA1\x0B", 'UTF-8'));

UTF-8 is the default encoding and \xA1\x0B is invalid UTF-8. Clearly something is going wrong with handling invalid UTF-8.
 [2018-05-09 19:10 UTC] nikic@php.net
-Status: Verified +Status: Analyzed
 [2018-05-09 19:10 UTC] nikic@php.net
We're getting 0x780000a1 as the character, the simple casemapping leaves it at 0x780000a1, but the full casemapping assigns special meaning to results that have a non-zero top byte. We'll have to add an explicit check for out of range characters before calling the casemapping functions.
 [2018-05-24 21:27 UTC] cmb@php.net
BTW: doesn't the implementation of full case mapping[1] deserve a
prominent entry in UPGRADING?

[1] <http://git.php.net/?p=php-src.git;a=commit;h=582a65b06f3de125887cab02d5c561168fcf94bc>
 [2018-05-25 10:10 UTC] nikic@php.net
Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9d63f4dec1d180f2a9533d8b7b6b5c445917aee2
Log: Fixed bug #76319
 [2018-05-25 10:10 UTC] nikic@php.net
-Status: Analyzed +Status: Closed
 [2018-05-25 10:17 UTC] nikic@php.net
-Assigned To: +Assigned To: nikic
 [2018-05-25 10:17 UTC] nikic@php.net
@cmb: Good point, I added some notes in https://github.com/php/php-src/commit/95c9d9d2d7f696e5e9cd05692195b4e4071e0d40.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 22:01:26 2018 UTC