php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78559 Heap buffer overflow in mb_eregi
Submitted: 2019-09-18 10:48 UTC Modified: 2019-09-24 04:50 UTC
From: nikic@php.net Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.3.9 OS:
Private report: No CVE-ID: None
 [2019-09-18 10:48 UTC] nikic@php.net
Description:
------------
Against libonig 2.9.3 the test script gives:

=================================================================
==17768==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000023727 at pc 0x00000184bd62 bp 0x7ffda9f2f1d0 sp 0x7ffda9f2f1c8
READ of size 1 at 0x603000023727 thread T0
    #0 0x184bd61 in str_lower_case_match /home/nikic/libonig/src/regexec.c:4017:11
    #1 0x184bd61 in slow_search_ic /home/nikic/libonig/src/regexec.c:4040:9
    #2 0x184bd61 in forward_search_range /home/nikic/libonig/src/regexec.c:4355:9
    #3 0x18487df in onig_search_with_param /home/nikic/libonig/src/regexec.c:4778:17
    #4 0x1847554 in onig_search /home/nikic/libonig/src/regexec.c:4574:7
    #5 0xa99ad0 in _php_mb_onig_search /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:878:8
    #6 0xa99ad0 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:936:6
    #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2
    #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7
    #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2
    #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4
    #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14
    #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5
    #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18
    #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #15 0x447139 in _start (/home/nikic/php-src-fuzz/sapi/cli/php+0x447139)

0x603000023727 is located 0 bytes to the right of 23-byte region [0x603000023710,0x603000023727)
allocated by thread T0 here:
    #0 0x4bf03d in malloc (/home/nikic/php-src-fuzz/sapi/cli/php+0x4bf03d)
    #1 0x17f44c0 in set_optimize_exact /home/nikic/libonig/src/regcomp.c:5687:25
    #2 0x17f44c0 in set_optimize_info_from_tree /home/nikic/libonig/src/regcomp.c:5800:11
    #3 0x17f44c0 in onig_compile /home/nikic/libonig/src/regcomp.c:6194:7
    #4 0x1817d6e in onig_new /home/nikic/libonig/src/regcomp.c:6356:7
    #5 0xaa018d in php_mbregex_compile_pattern /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:467:19
    #6 0xa99a48 in _php_mb_regex_ereg_exec /home/nikic/php-src-fuzz/ext/mbstring/php_mbregex.c:927:7
    #7 0x168f607 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:1326:2
    #8 0x148597c in execute_ex /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:54074:7
    #9 0x148605c in zend_execute /home/nikic/php-src-fuzz/Zend/zend_vm_execute.h:58355:2
    #10 0x130625f in zend_execute_scripts /home/nikic/php-src-fuzz/Zend/zend.c:1643:4
    #11 0x10f0935 in php_execute_script /home/nikic/php-src-fuzz/main/main.c:2587:14
    #12 0x17979c0 in do_cli /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:961:5
    #13 0x1794a0f in main /home/nikic/php-src-fuzz/sapi/cli/php_cli.c:1352:18
    #14 0x7ff709f62b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Test script:
---------------
<?php
$str = "5b5b5b5b5b5b5b492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c52525252525252525252525252525252525252525252525252492a5bce946b5c4b5d5c6b5c4b5d5c4b5d1cceb04b5d1cceb07a73717e4b1c1cceb04b5d1cceb07a73717e4b1c302c36303030ceb07b7bd2a15c305c30663f436f6e74655c5238416711087b363030302c36303030ceb07b7b7b7b7b7b7b363030302c36303030ceb07b7b7b7b7b7b7b4a01";
$str = hex2bin($str);
var_dump(mb_eregi($str, $str));



Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-18 12:11 UTC] nikic@php.net
It looks like this is already fixed with current oniguruma master.
 [2019-09-20 17:05 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-09-20 17:05 UTC] cmb@php.net
Complete fix including PHPT at
<https://gist.github.com/cmb69/6c00045e545c7ca6db3916dd6fc9a44d>.

Only PHP-7.3 is affected.

Could you please submit this to the sec repo, Stas?
 [2019-09-24 04:51 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8f949eba8083e34d181c30bcf11aaeef2496bb97
Log: Fix #78559: Heap buffer overflow in mb_eregi
 [2019-09-24 04:51 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-09-24 08:28 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=90a77d87d4b63db29b1051a784e91e7d368a07e1
Log: Fix #78559: Heap buffer overflow in mb_eregi
 [2019-09-26 20:23 UTC] axisselalumultitalenta at gmail dot com
The following pull request has been associated:

Patch Name: Convert login, logout and statistics pages to templates
On GitHub:  https://github.com/php/web-bugs/pull/83
Patch:      https://github.com/php/web-bugs/pull/83.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Nov 05 23:01:28 2024 UTC