Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Out of bounds read in mbc_to_code() #16
For certain inputs to the regular expression parser via onig_new() an out of bounds read access will happen. This can be seen by compiling oniguruma with address sanitizer (-fsanitize=address). See code example below.
I found this bug while fuzzing PHP with american fuzzy lop, yet it seems the bug is not in PHP itself, but in it's bundled oniguruma copy. Tested both with the git code and version 5.9.5.
The Address Sanitizer stack trace:
This fix also seems incomplete. Passing bytes 0xfb, 0x0a still triggers an out of bounds in the same code line: