Skip to content

mb_list_encodings() can cause crashes on shutdown #19397

New issue
New issue
Closed
Closed
mb_list_encodings() can cause crashes on shutdown#19397
Assignees
youkidearitai
Labels
BugExtension: mbstringStatus: Verified
@chongwick

Description

@chongwick
chongwick
opened on Aug 7, 2025

Description

The following code:

<?php
$v_14545 = chr(246);
$v_14547 = mb_list_encodings();
if ($v_14545) {
        $v_14537 = mb_detect_encoding($v_14545,$v_14547,True);
}

Resulted in this output:

==536652==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000089060 at pc 0x55965b13bfdc bp 0x7ffeda239ee0 sp 0x7ffeda239ed0
READ of size 4 at 0x606000089060 thread T0
 out    #0 0x55965b13bfdb in zend_gc_delref /home/nightly_php/php-src/Zend/zend_types.h:1371
    #1 0x55965b13bfdb in i_zval_ptr_dtor /home/nightly_php/php-src/Zend/zend_variables.h:44
    #2 0x55965b13bfdb in zval_ptr_dtor /home/nightly_php/php-src/Zend/zend_variables.c:84
    #3 0x55965afe74e8 in _zend_hash_del_el_ex /home/nightly_php/php-src/Zend/zend_hash.c:1486
    #4 0x55965afe74e8 in _zend_hash_del_el /home/nightly_php/php-src/Zend/zend_hash.c:1513
    #5 0x55965afe74e8 in zend_hash_graceful_reverse_destroy /home/nightly_php/php-src/Zend/zend_hash.c:2038
    #6 0x55965ac57a5e in zend_shutdown_executor_values /home/nightly_php/php-src/Zend/zend_execute_API.c:285
    #7 0x55965ac5a9f2 in shutdown_executor /home/nightly_php/php-src/Zend/zend_execute_API.c:455
    #8 0x55965b15912a in zend_deactivate /home/nightly_php/php-src/Zend/zend.c:1350
    #9 0x55965a8e41ba in php_request_shutdown /home/nightly_php/php-src/main/main.c:1969
    #10 0x55965b15dff9 in do_cli /home/nightly_php/php-src/sapi/cli/php_cli.c:1159
    #11 0x5596593fa562 in main /home/nightly_php/php-src/sapi/cli/php_cli.c:1363
    #12 0x14793546cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #13 0x14793546ce3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #14 0x5596593fb8b4 in _start (/home/nightly_php/php-src/sapi/cli/php+0x2f7d8b4)

0x606000089060 is located 0 bytes inside of 56-byte region [0x606000089060,0x606000089098)
freed by thread T0 here:
    #0 0x14793926e537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x559659e21cac in zm_deactivate_mbstring /home/nightly_php/php-src/ext/mbstring/mbstring.c:1164
    #2 0x55965ab3e449 in zend_deactivate_modules /home/nightly_php/php-src/Zend/zend_API.c:3425
    #3 0x55965a8e48ba in php_request_shutdown /home/nightly_php/php-src/main/main.c:1946
    #4 0x55965b15dff9 in do_cli /home/nightly_php/php-src/sapi/cli/php_cli.c:1159
    #5 0x5596593fa562 in main /home/nightly_php/php-src/sapi/cli/php_cli.c:1363
    #6 0x14793546cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

previously allocated by thread T0 here:
    #0 0x14793926e887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55965aafad14 in __zend_malloc /home/nightly_php/php-src/Zend/zend_alloc.c:3518
    #2 0x559659e2e314 in zif_mb_list_encodings /home/nightly_php/php-src/ext/mbstring/mbstring.c:3496
    #3 0x55965af56e18 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /home/nightly_php/php-src/Zend/zend_vm_execute.h:1408
    #4 0x55965af56e18 in execute_ex /home/nightly_php/php-src/Zend/zend_vm_execute.h:58921
    #5 0x55965af93eaf in zend_execute /home/nightly_php/php-src/Zend/zend_vm_execute.h:64384
    #6 0x55965b15a34f in zend_execute_script /home/nightly_php/php-src/Zend/zend.c:1943
    #7 0x55965a8e7363 in php_execute_script_ex /home/nightly_php/php-src/main/main.c:2594
    #8 0x55965b16027a in do_cli /home/nightly_php/php-src/sapi/cli/php_cli.c:952
    #9 0x5596593fa562 in main /home/nightly_php/php-src/sapi/cli/php_cli.c:1363
    #10 0x14793546cd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/nightly_php/php-src/Zend/zend_types.h:1371 in zend_gc_delref
Shadow bytes around the buggy address:
  0x0c0c800091b0: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c800091c0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c800091d0: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c800091e0: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c800091f0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
=>0x0c0c80009200: fd fd fd fd fd fd fd fd fa fa fa fa[fd]fd fd fd
  0x0c0c80009210: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80009220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80009230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80009240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c80009250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==536652==ABORTING

But I expected this output instead:

PHP Version

nightly

Operating System

ubuntu 22.04

Metadata

Metadata

Assignees

Labels

BugExtension: mbstringStatus: Verified

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions