php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78633 Heap buffer overflow (read) in mb_eregi
Submitted: 2019-10-04 09:10 UTC Modified: 2019-10-21 06:20 UTC
From: nikic@php.net Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.3.10 OS:
Private report: No CVE-ID: None
 [2019-10-04 09:10 UTC] nikic@php.net
Description:
------------
Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17971
Reported upstream: https://github.com/kkos/oniguruma/issues/156

This affects PHP 7.3, but not PHP 7.2.

Test script:
---------------
<?php
var_dump(mb_eregi(".+IsssĒ°", ".+IsssĒ°"));

Actual result:
--------------
==19476== Invalid read of size 1
==19476==    at 0x62C172: match_at (regexec.c:2903)
==19476==    by 0x637E6D: onig_search_with_param (regexec.c:4998)
==19476==    by 0x68E326: _php_mb_onig_search (php_mbregex.c:879)
==19476==    by 0x68E5D6: _php_mb_regex_ereg_exec (php_mbregex.c:945)
==19476==    by 0x68E81B: zif_mb_eregi (php_mbregex.c:994)
==19476==    by 0xA97B2F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:694)
==19476==    by 0xB04EC4: execute_ex (zend_vm_execute.h:55473)
==19476==    by 0xB0A4EA: zend_execute (zend_vm_execute.h:60889)
==19476==    by 0xA2E7F0: zend_execute_scripts (zend.c:1568)
==19476==    by 0x993E38: php_execute_script (main.c:2639)
==19476==    by 0xB0D2FA: do_cli (php_cli.c:997)
==19476==    by 0xB0E471: main (php_cli.c:1389)
==19476==  Address 0x10ce6004 is 0 bytes after a block of size 4 alloc'd
==19476==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==19476==    by 0x6199C0: ops_make_string_pool (regcomp.c:337)
==19476==    by 0x6268FF: onig_compile (regcomp.c:6436)
==19476==    by 0x626C70: onig_new (regcomp.c:6565)
==19476==    by 0x68D5E4: php_mbregex_compile_pattern (php_mbregex.c:468)
==19476==    by 0x68E570: _php_mb_regex_ereg_exec (php_mbregex.c:936)
==19476==    by 0x68E81B: zif_mb_eregi (php_mbregex.c:994)
==19476==    by 0xA97B2F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:694)
==19476==    by 0xB04EC4: execute_ex (zend_vm_execute.h:55473)
==19476==    by 0xB0A4EA: zend_execute (zend_vm_execute.h:60889)
==19476==    by 0xA2E7F0: zend_execute_scripts (zend.c:1568)
==19476==    by 0x993E38: php_execute_script (main.c:2639)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-04 17:04 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-10-04 17:04 UTC] cmb@php.net
Full patch at <https://gist.github.com/cmb69/7248e5b7d10f3fad6dd38d040371fd83>.

Stas, can you please take care of this?  (PHP-7.3 only)
 [2019-10-04 22:12 UTC] stas@php.net
Will do.
 [2019-10-04 22:13 UTC] stas@php.net
Generally such thing would need a CVE but I am not sure whether to allocate it since it's Oniguruma upstream issue...
 [2019-10-21 06:21 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f50d58caba8286b5c533f6925b2ec320dd0742e
Log: Fix #78633: Heap buffer overflow (read) in mb_eregi
 [2019-10-21 06:21 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-10-22 07:16 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=126018250ecb53e5126c67175fd5077ff03e8022
Log: Fix #78633: Heap buffer overflow (read) in mb_eregi
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Nov 13 23:01:29 2019 UTC