Out of bounds read in mbc_to_code()

[hannob]

For certain inputs to the regular expression parser via onig_new() an out of bounds read access will happen. This can be seen by compiling oniguruma with address sanitizer (-fsanitize=address). See code example below.

I found this bug while fuzzing PHP with american fuzzy lop, yet it seems the bug is not in PHP itself, but in it's bundled oniguruma copy. Tested both with the git code and version 5.9.5.

#include <oniguruma.h>
#include <string.h>
int main()
{
    regex_t *reg;
    unsigned char *inp = "0000\xfb";

    onig_new(&reg, inp, inp + strlen(inp), ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

The Address Sanitizer stack trace:

==11030==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000044ad86 at pc 0x4433f3 bp 0x7fff0e435ba0 sp 0x7fff0e435b98
READ of size 1 at 0x00000044ad86 thread T0
    #0 0x4433f2 in mbc_to_code /mnt/ram/oniguruma/src/utf8.c:105
    #1 0x41063c in fetch_token /mnt/ram/oniguruma/src/regparse.c:3039
    #2 0x41d161 in parse_exp /mnt/ram/oniguruma/src/regparse.c:4905
    #3 0x41ebd7 in parse_branch /mnt/ram/oniguruma/src/regparse.c:5195
    #4 0x41efc6 in parse_subexp /mnt/ram/oniguruma/src/regparse.c:5232
    #5 0x41f375 in parse_regexp /mnt/ram/oniguruma/src/regparse.c:5277
    #6 0x41f7c1 in onig_parse_make_tree /mnt/ram/oniguruma/src/regparse.c:5304
    #7 0x43c593 in onig_compile /mnt/ram/oniguruma/src/regcomp.c:5263
    #8 0x43d54a in onig_new /mnt/ram/oniguruma/src/regcomp.c:5500
    #9 0x40113f in main /tmp/oniguruma-heap-oob-mbc_to_code.c:8
    #10 0x7f7379eea78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #11 0x400f08 in _start (/tmp/a.out+0x400f08)

0x00000044ad86 is located 0 bytes to the right of global variable '*.LC1' from 'oniguruma-heap-oob-mbc_to_code.c' (0x44ad80) of size 6
SUMMARY: AddressSanitizer: global-buffer-overflow /mnt/ram/oniguruma/src/utf8.c:105 mbc_to_code
Shadow bytes around the buggy address:
  0x000080081560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800815b0:[06]f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800815c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800815f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080081600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11030==ABORTING

[kkos]

Thank you for the report.
I have fixed it in develop branch.

[hannob]

This fix also seems incomplete. Passing bytes 0xfb, 0x0a still triggers an out of bounds in the same code line:

#include <oniguruma.h>
int main()
{
    regex_t *reg;
    unsigned char inp[2] = { 0xfb, 0x0a };

    onig_new(&reg, inp, inp + 2, ONIG_OPTION_DEFAULT,
         ONIG_ENCODING_UTF8, ONIG_SYNTAX_DEFAULT, 0);
}

[kkos]

Thanks again.
I have fixed it in develop branch.