php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78633 Heap buffer overflow (read) in mb_eregi
Submitted: 2019-10-04 09:10 UTC Modified: 2019-10-21 06:20 UTC
From: nikic@php.net Assigned: stas (profile)
Status: Closed Package: mbstring related
PHP Version: 7.3.10 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nikic@php.net
New email:
PHP Version: OS:

 

 [2019-10-04 09:10 UTC] nikic@php.net
Description:
------------
Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17971
Reported upstream: https://github.com/kkos/oniguruma/issues/156

This affects PHP 7.3, but not PHP 7.2.

Test script:
---------------
<?php
var_dump(mb_eregi(".+IsssĒ°", ".+IsssĒ°"));

Actual result:
--------------
==19476== Invalid read of size 1
==19476==    at 0x62C172: match_at (regexec.c:2903)
==19476==    by 0x637E6D: onig_search_with_param (regexec.c:4998)
==19476==    by 0x68E326: _php_mb_onig_search (php_mbregex.c:879)
==19476==    by 0x68E5D6: _php_mb_regex_ereg_exec (php_mbregex.c:945)
==19476==    by 0x68E81B: zif_mb_eregi (php_mbregex.c:994)
==19476==    by 0xA97B2F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:694)
==19476==    by 0xB04EC4: execute_ex (zend_vm_execute.h:55473)
==19476==    by 0xB0A4EA: zend_execute (zend_vm_execute.h:60889)
==19476==    by 0xA2E7F0: zend_execute_scripts (zend.c:1568)
==19476==    by 0x993E38: php_execute_script (main.c:2639)
==19476==    by 0xB0D2FA: do_cli (php_cli.c:997)
==19476==    by 0xB0E471: main (php_cli.c:1389)
==19476==  Address 0x10ce6004 is 0 bytes after a block of size 4 alloc'd
==19476==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==19476==    by 0x6199C0: ops_make_string_pool (regcomp.c:337)
==19476==    by 0x6268FF: onig_compile (regcomp.c:6436)
==19476==    by 0x626C70: onig_new (regcomp.c:6565)
==19476==    by 0x68D5E4: php_mbregex_compile_pattern (php_mbregex.c:468)
==19476==    by 0x68E570: _php_mb_regex_ereg_exec (php_mbregex.c:936)
==19476==    by 0x68E81B: zif_mb_eregi (php_mbregex.c:994)
==19476==    by 0xA97B2F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:694)
==19476==    by 0xB04EC4: execute_ex (zend_vm_execute.h:55473)
==19476==    by 0xB0A4EA: zend_execute (zend_vm_execute.h:60889)
==19476==    by 0xA2E7F0: zend_execute_scripts (zend.c:1568)
==19476==    by 0x993E38: php_execute_script (main.c:2639)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-04 17:04 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas
 [2019-10-04 17:04 UTC] cmb@php.net
Full patch at <https://gist.github.com/cmb69/7248e5b7d10f3fad6dd38d040371fd83>.

Stas, can you please take care of this?  (PHP-7.3 only)
 [2019-10-04 22:12 UTC] stas@php.net
Will do.
 [2019-10-04 22:13 UTC] stas@php.net
Generally such thing would need a CVE but I am not sure whether to allocate it since it's Oniguruma upstream issue...
 [2019-10-21 06:21 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f50d58caba8286b5c533f6925b2ec320dd0742e
Log: Fix #78633: Heap buffer overflow (read) in mb_eregi
 [2019-10-21 06:21 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2019-10-22 07:16 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=126018250ecb53e5126c67175fd5077ff03e8022
Log: Fix #78633: Heap buffer overflow (read) in mb_eregi
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 14 06:01:30 2024 UTC