php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79150 memcpy-param-overlap caused by zif_mb_convert_encoding
Submitted: 2020-01-21 14:33 UTC Modified: 2020-01-22 08:34 UTC
From: wxhusst at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: mbstring related
PHP Version: 7.4Git-2020-01-21 (Git) OS: linux
Private report: No CVE-ID: None
 [2020-01-21 14:33 UTC] wxhusst at gmail dot com
Description:
------------
==119497==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f29aaa02052,0xfe535547e2db) and [0x7f29aaa59c78, 0xfe53554d5f01) overlap
    #0 0x6acd38 in __asan_memcpy /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
    #1 0x10c0f2c in zif_mb_convert_encoding /home/raven/fuzz/php-src-php-7.4.2/ext/mbstring/mbstring.c:3375:7
    #2 0x242215d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:1269:2
    #3 0x2131c97 in execute_ex /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:53611:7
    #4 0x2132d52 in zend_execute /home/raven/fuzz/php-src-php-7.4.2/Zend/zend_vm_execute.h:57913:2
    #5 0x1eb6d8c in zend_execute_scripts /home/raven/fuzz/php-src-php-7.4.2/Zend/zend.c:1665:4
    #6 0x1a9b754 in php_execute_script /home/raven/fuzz/php-src-php-7.4.2/main/main.c:2617:14
    #7 0x255f9f0 in do_cli /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:961:5
    #8 0x255c3a7 in main /home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php_cli.c:1352:18
    #9 0x7f29b00c41e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #10 0x602b3d in _start (/home/raven/fuzz/php-src-php-7.4.2/sapi/cli/php+0x602b3d)

Address 0x7f29aaa02052 is a wild pointer.
Address 0x7f29aaa59c78 is a wild pointer.
SUMMARY: AddressSanitizer: memcpy-param-overlap /home/buildnode/jenkins/workspace/oss-swift-5.1-package-linux-ubuntu-18_04/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
==119497==ABORTING

Test script:
---------------
<?php
try { try { mb_convert_encoding(range(0, 10), str_repeat(chr(193), 65537) + str_repeat(chr(168), 65), array(array("Volvo",100,96),range(0,10),array("a" => 1, "b" => "2", "c" => 3.0))); } catch (Exception $e) { } } catch(Error $e) { }
?>

Expected result:
----------------
normal

Actual result:
--------------
crash

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-21 16:23 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-01-21 16:23 UTC] cmb@php.net
Thanks for reporting!
 [2020-01-22 08:34 UTC] cmb@php.net
-Status: Verified +Status: Duplicate -Type: Security +Type: Bug
 [2020-01-22 08:34 UTC] cmb@php.net
This is actually a duplicate of bug #79149.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Feb 19 10:01:28 2020 UTC