Описание
Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
Summary
A global buffer over-read exists in mbfl_name2encoding_ex() (ext/mbstring/libmbfl/mbfl/mbfl_encoding.c, line 352), called from mb_convert_encoding(...) and other mbstring functions, when parsing encoding names with embedded NUL bytes.
Root Cause
In mbfl_name2encoding_ex, the MIME name search loop (line 352) uses:
When name contains an embedded NUL byte (e.g., "UTF-8\x00AAAA..."), strncasecmp returns 0 after matching up to the NUL (since both strings have NUL at the same position). The subsequent check (*encoding)->mime_name[name_len] then reads at offset name_len (e.g., 22) from mime_name, which is only 6 bytes long ("UTF-8\0"). This reads 16+ bytes past the end of the global string into adjacent global memory.
The same issue exists on lines 362 for encoding aliases.
Minimal Reproducer
Running with ASan-instrumented PHP 8.4.20:
Attack Surface
- Triggerable when a attacker-controlled encoding is passed to
mb_convert_encoding()without sanitization - Also affected are
mb_detect_encoding(),mb_convert_variables(),mb_detect_order(), as well as thembstring.detect_orderandmbstring.http_outputINI settings. - Out-of-bounds read of global memory (CWE-125)
- Information disclosure of adjacent global data; not directly exploitable for code execution
Environment
- PHP 8.4.0+,
-fsanitize=address,undefined
Пакеты
ext-mbstring
< 8.4.21
8.4.21
ext-mbstring
< 8.5.6
8.5.6
Связанные уязвимости
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an en ...
