Heap buffer overflow in \Uri\WhatWg\Url Lexbor URL percent-encoding for FTP URLs with invalid UTF-8 bytes #20521
Closed as duplicate of#20502
Description
Description
The following code:
The proof-of-concept code is available at: https://github.com/vi3tL0u1s/poc/blob/master/php-src-heap-buffer-overflow-in-lexbor-url.php
To reproduce:
curl https://raw.githubusercontent.com/vi3tL0u1s/poc/master/php-src-heap-buffer-overflow-in-lexbor-url.php | phpThis code triggers a heap-buffer-overflow in the lexbor URL parser when processing an FTP URL containing invalid UTF-8 byte sequences. The malformed URL causes the lexbor percent-encoding routine to write beyond the allocated 8200-byte buffer when handling the invalid byte sequences.
Note: This is a reduced fuzzer-generated test case. The PoC contains binary data with invalid bytes that must be preserved to trigger the vulnerability. Opening the file in text editors will corrupt the critical byte sequences and break the PoC. Use binary-safe tools like hexdump or xxd for viewing.
Resulted in this output:
==2303932==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007108 at pc 0x5568e87f7f9e bp 0x7ffca4702b40 sp 0x7ffca4702b38
WRITE of size 1 at 0x625000007108 thread T0
#0 0x5568e87f7f9d in lxb_url_percent_encode_after_utf_8 /path/to/php-src/ext/lexbor/lexbor/url/url.c:3299:19
#1 0x5568e87ed137 in lxb_url_parse_basic_h /path/to/php-src/ext/lexbor/lexbor/url/url.c:1732:38
#2 0x5568e87e9055 in lxb_url_parse_basic /path/to/php-src/ext/lexbor/lexbor/url/url.c:1269:14
#3 0x5568e87e8fda in lxb_url_parse /path/to/php-src/ext/lexbor/lexbor/url/url.c:1256:12
#4 0x5568e91a5b74 in php_uri_parser_whatwg_parse_ex /path/to/php-src/ext/uri/uri_parser_whatwg.c:568:19
#5 0x5568e91a742d in php_uri_parser_whatwg_parse /path/to/php-src/ext/uri/uri_parser_whatwg.c:590:9
#6 0x5568e918e477 in php_uri_instantiate_uri /path/to/php-src/ext/uri/php_uri.c:352:14
#7 0x5568e91920db in create_whatwg_uri /path/to/php-src/ext/uri/php_uri.c:499:2
#8 0x5568e9192191 in zim_Uri_WhatWg_Url___construct /path/to/php-src/ext/uri/php_uri.c:510:2
#9 0x5568e96c10a7 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /path/to/php-src/Zend/zend_vm_execute.h:2022:4
#10 0x5568e95de5a2 in execute_ex /path/to/php-src/Zend/zend_vm_execute.h:116212:12
#11 0x5568e95deea7 in zend_execute /path/to/php-src/Zend/zend_vm_execute.h:121924:2
#12 0x5568e9a0d130 in zend_execute_script /path/to/php-src/Zend/zend.c:1975:3
#13 0x5568e9214026 in php_execute_script_ex /path/to/php-src/main/main.c:2645:13
#14 0x5568e9214528 in php_execute_script /path/to/php-src/main/main.c:2685:9
#15 0x5568e9a14fe2 in do_cli /path/to/php-src/sapi/cli/php_cli.c:951:5
#16 0x5568e9a11f3c in main /path/to/php-src/sapi/cli/php_cli.c:1362:18
#17 0x7f95a171ed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
#18 0x7f95a171ee3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
#19 0x5568e8201d64 in _start (/path/to/php-src/sapi/cli/php+0x601d64) (BuildId: 2f4d58726259e316f2962e15de07f4156fac78bc)
0x625000007108 is located 0 bytes to the right of 8200-byte region [0x625000005100,0x625000007108)
allocated by thread T0 here:
#0 0x5568e8284bae in __interceptor_malloc (/path/to/php-src/sapi/cli/php+0x684bae) (BuildId: 2f4d58726259e316f2962e15de07f4156fac78bc)
#1 0x5568e9462e63 in __zend_malloc /path/to/php-src/Zend/zend_alloc.c:3543:14
#2 0x5568e94627f0 in _emalloc /path/to/php-src/Zend/zend_alloc.c:2780:10
#3 0x5568e86973e7 in php_lexbor_malloc /path/to/php-src/ext/lexbor/php_lexbor.c:34:9
#4 0x5568e87d97a8 in lexbor_malloc /path/to/php-src/ext/lexbor/lexbor/ports/posix/lexbor/core/memory.c:17:12
#5 0x5568e86a9c76 in lexbor_mem_chunk_init /path/to/php-src/ext/lexbor/lexbor/core/mem.c:116:19
#6 0x5568e86a9582 in lexbor_mem_chunk_make /path/to/php-src/ext/lexbor/lexbor/core/mem.c:130:9
#7 0x5568e86a93c9 in lexbor_mem_init /path/to/php-src/ext/lexbor/lexbor/core/mem.c:30:18
#8 0x5568e86aa547 in lexbor_mraw_init /path/to/php-src/ext/lexbor/lexbor/core/mraw.c:53:14
#9 0x5568e91a58ee in zm_activate_uri_parser_whatwg /path/to/php-src/ext/uri/uri_parser_whatwg.c:521:11
#10 0x5568e9199fd8 in zm_activate_uri /path/to/php-src/ext/uri/php_uri.c:1142:6
#11 0x5568e948fdcb in zend_activate_modules /path/to/php-src/Zend/zend_API.c:3388:7
#12 0x5568e920d9c9 in php_request_startup /path/to/php-src/main/main.c:1947:3
#13 0x5568e9a14aca in do_cli /path/to/php-src/sapi/cli/php_cli.c:919:7
#14 0x5568e9a11f3c in main /path/to/php-src/sapi/cli/php_cli.c:1362:18
#15 0x7f95a171ed8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
SUMMARY: AddressSanitizer: heap-buffer-overflow /path/to/php-src/ext/lexbor/lexbor/url/url.c:3299:19 in lxb_url_percent_encode_after_utf_8
Shadow bytes around the buggy address:
0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e20: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2303932==ABORTING
Commit:
d750d30a627a143d88670cf0431d6f42b2c77c4b
Build configuration:
CC="clang" CXX="clang++" CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" LDFLAGS="-fsanitize=address" ./buildconf --force && ./configure --enable-debug --enable-address-sanitizer --disable-shared --with-pic --enable-mbstring --with-zlib
PHP Version
PHP 8.6.0-dev (cli) (built: Nov 18 2025 15:42:17) (NTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.6.0-dev, Copyright (c) Zend Technologies
with Zend OPcache v8.6.0-dev, Copyright (c), by Zend Technologies
Operating System
Ubuntu 22.04