VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 21, 2019· Updated Aug 5, 2024

CVE-2019-19203

CVE-2019-19203

Description

A heap-buffer-overread exists in Oniguruma 6.x before 6.9.4_rc2 in the gb18030_mbc_enc_len function, allowing arbitrary data read via crafted regex patterns.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer-overread exists in Oniguruma 6.x before 6.9.4_rc2 in the gb18030_mbc_enc_len function, allowing arbitrary data read via crafted regex patterns.

Vulnerability

A heap-based buffer over-read vulnerability exists in the gb18030_mbc_enc_len function in gb18030.c of Oniguruma versions 6.x prior to 6.9.4_rc2 [1][2][3]. The function dereferences a UChar* pointer without checking whether it has passed the end of the string, leading to reading beyond the allocated buffer boundary [3]. The vulnerable code path is reachable when the library processes a regular expression against input encoded in GB18030. The affected function is part of the Oniguruma regular expression library, which is used by Ruby 1.9+, PHP’s mbstring module, and other products such as Atom, Sublime Text, and TextMate [1][2].

Exploitation

An attacker can trigger the vulnerability by providing a crafted regular expression pattern and input string that causes the GB18030 encoding handler to increment the pointer and then read the next byte without bounds checking [3]. The proof-of-concept provided in the references uses a pattern [\\W]\\w (six bytes) and input \xe1\xe1 (two bytes) [3]. The attacker does not require authentication or special privileges; they only need to supply the malicious input to an application that uses Oniguruma to compile and execute the regex. In the PoC, the function onig_search is called with the GB18030 encoding, and due to the missing bound check, the library reads bytes beyond str_end [3].

Impact

Successful exploitation results in a heap-based buffer over-read, potentially disclosing sensitive memory contents from the heap [1][2][3]. The over-read can lead to information disclosure, and in some cases, may be leveraged for further memory corruption or denial of service. The degree of impact depends on what data resides adjacent to the buffer; an attacker could read secrets, pointers, or other sensitive data from the application’s memory.

Mitigation

The vulnerability is fixed in Oniguruma version 6.9.4 RC2, released on November 21, 2019 [4]. Users should upgrade to this version or later. The fix addresses the heap-buffer-overflow in gb18030_mbc_enc_len() by adding proper bounds checking [4]. There are no known workarounds; as such, applying the patch is the recommended mitigation. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. GitHub - ManhNDd/CVE-2019-19203: Heap-buffer-overflow in Oniguruma (function gb18030_mbc_enc_len)
  2. GitHub - tarantula-team/CVE-2019-19203: An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string. This leads to a heap-based buffer over-read
  3. heap-buffer-overflow in gb18030_mbc_enc_len
  4. Release 6.9.4 Release Candidate 2 · kkos/oniguruma

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

64

Patches

2
e03900b038a2

update HISTORY

https://github.com/kkos/onigurumaK.KosakoNov 29, 2019via osv
commit
1 file changed · +1 1
  • HISTORY+1 1 modified
    @@ -1,6 +1,6 @@
 History
 
-2019/MM/DD: Version 6.9.4
+2019/11/29: Version 6.9.4
 
 2019/11/22: Release Candidate 3 for Version 6.9.4
681824e81bb5

change pattern size to be random

https://github.com/kkos/onigurumaK.KosakoNov 14, 2019via osv
commit
1 file changed · +9 4
  • harnesses/encode-harness.c+9 4 modified
    @@ -152,7 +152,7 @@ output_data(char* path, const uint8_t * data, size_t size)
 
 
 #define EXEC_PRINT_INTERVAL  10000000
-#define MAX_PATTERN_SIZE     100
+#define MAX_PATTERN_SIZE     150
 
 #ifdef SYNTAX_TEST
 #define NUM_CONTROL_BYTES      3
@@ -238,9 +238,14 @@ int LLVMFuzzerTestOneInput(const uint8_t * Data, size_t Size)
   data++;
   remaining_size--;
 
-  pattern_size = remaining_size / 2;
-  if (pattern_size > MAX_PATTERN_SIZE)
-    pattern_size = MAX_PATTERN_SIZE;
+  //pattern_size = remaining_size / 2;
+  if (remaining_size == 0)
+    pattern_size = 0;
+  else {
+    pattern_size = INPUT_COUNT % remaining_size;
+    if (pattern_size > MAX_PATTERN_SIZE)
+      pattern_size = MAX_PATTERN_SIZE;
+  }
 
 #if defined(UTF16_BE) || defined(UTF16_LE)
   if (pattern_size % 2 == 1) pattern_size--;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.