PHP :: Sec Bug #78633 :: Heap buffer overflow (read) in mb

Sec Bug #78633	Heap buffer overflow (read) in mb_eregi
Submitted:	2019-10-04 09:10 UTC	Modified:	2019-10-21 06:20 UTC
From:	nikic@php.net	Assigned:	stas (profile)
Status:	Closed	Package:	mbstring related
PHP Version:	7.3.10	OS:
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nikic@php.net
New email:
PHP Version:		OS:

New Comment:

[2019-10-04 09:10 UTC] nikic@php.net

Description:
------------
Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17971
Reported upstream: https://github.com/kkos/oniguruma/issues/156

This affects PHP 7.3, but not PHP 7.2.

Test script:
---------------
<?php
var_dump(mb_eregi(".+Isssǰ", ".+Isssǰ"));

Actual result:
--------------
==19476== Invalid read of size 1
==19476==    at 0x62C172: match_at (regexec.c:2903)
==19476==    by 0x637E6D: onig_search_with_param (regexec.c:4998)
==19476==    by 0x68E326: _php_mb_onig_search (php_mbregex.c:879)
==19476==    by 0x68E5D6: _php_mb_regex_ereg_exec (php_mbregex.c:945)
==19476==    by 0x68E81B: zif_mb_eregi (php_mbregex.c:994)
==19476==    by 0xA97B2F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:694)
==19476==    by 0xB04EC4: execute_ex (zend_vm_execute.h:55473)
==19476==    by 0xB0A4EA: zend_execute (zend_vm_execute.h:60889)
==19476==    by 0xA2E7F0: zend_execute_scripts (zend.c:1568)
==19476==    by 0x993E38: php_execute_script (main.c:2639)
==19476==    by 0xB0D2FA: do_cli (php_cli.c:997)
==19476==    by 0xB0E471: main (php_cli.c:1389)
==19476==  Address 0x10ce6004 is 0 bytes after a block of size 4 alloc'd
==19476==    at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==19476==    by 0x6199C0: ops_make_string_pool (regcomp.c:337)
==19476==    by 0x6268FF: onig_compile (regcomp.c:6436)
==19476==    by 0x626C70: onig_new (regcomp.c:6565)
==19476==    by 0x68D5E4: php_mbregex_compile_pattern (php_mbregex.c:468)
==19476==    by 0x68E570: _php_mb_regex_ereg_exec (php_mbregex.c:936)
==19476==    by 0x68E81B: zif_mb_eregi (php_mbregex.c:994)
==19476==    by 0xA97B2F: ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER (zend_vm_execute.h:694)
==19476==    by 0xB04EC4: execute_ex (zend_vm_execute.h:55473)
==19476==    by 0xB0A4EA: zend_execute (zend_vm_execute.h:60889)
==19476==    by 0xA2E7F0: zend_execute_scripts (zend.c:1568)
==19476==    by 0x993E38: php_execute_script (main.c:2639)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-10-04 11:04 UTC] nikic@php.net

Upstream fix: https://github.com/kkos/oniguruma/commit/15c4228aa2ffa02140a99912dd3177df0b1841c6

[2019-10-04 17:04 UTC] cmb@php.net

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: stas

[2019-10-04 17:04 UTC] cmb@php.net

Full patch at <https://gist.github.com/cmb69/7248e5b7d10f3fad6dd38d040371fd83>.

Stas, can you please take care of this?  (PHP-7.3 only)

[2019-10-04 22:12 UTC] stas@php.net

Will do.

[2019-10-04 22:13 UTC] stas@php.net

Generally such thing would need a CVE but I am not sure whether to allocate it since it's Oniguruma upstream issue...

[2019-10-21 06:21 UTC] stas@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f50d58caba8286b5c533f6925b2ec320dd0742e
Log: Fix #78633: Heap buffer overflow (read) in mb_eregi

[2019-10-21 06:21 UTC] stas@php.net

-Status: Analyzed +Status: Closed

[2019-10-22 07:16 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=126018250ecb53e5126c67175fd5077ff03e8022
Log: Fix #78633: Heap buffer overflow (read) in mb_eregi

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 10:01:28 2024 UTC