`iconv_mime_decode()` with malformed UTF-8 encoded-word corrupts stack, causing unrecoverable SIGSEGV (ASan: nested bug in same thread)`

[YuanchengJiang]

Description

The following code:

<?php
var_dump(iconv_mime_decode("Illegal encoded-word: =?utf-8?Q?".chr(0xA1)."?= ."));
spl_autoload_register(function ($fusion) {
if ($class == 'A') {
} else {
class Y extends A {}
}
});
new B;

Resulted in this output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==902==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7b7a4a01d31e bp 0x64008de5fc9b9782 sp 0x8bb08de5c365d786 T0)
==902==The signal is caused by a READ memory access.
==902==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer: nested bug in the same thread, aborting.

To reproduce:

./php-src/sapi/cli/php  ./test.php

Commit:

88c658e1f6e47024f297bc55b07a402c4ed3621c

Configurations:

CC="clang-12" CXX="clang++-12" CFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" CXXFLAGS="-DZEND_VERIFY_TYPE_INFERENCE" ./configure --enable-debug --enable-address-sanitizer --enable-undefined-sanitizer --enable-re2c-cgoto --enable-fpm --enable-litespeed --enable-phpdbg-debug --enable-zts --enable-bcmath --enable-calendar --enable-dba --enable-dl-test --enable-exif --enable-ftp --enable-gd --enable-gd-jis-conv --enable-mbstring --enable-pcntl --enable-shmop --enable-soap --enable-sockets --enable-sysvmsg --enable-zend-test --with-zlib --with-bz2 --with-curl --with-enchant --with-gettext --with-gmp --with-mhash --with-ldap --with-libedit --with-readline --with-snmp --with-sodium --with-xsl --with-zip --with-mysqli --with-pdo-mysql --with-pdo-pgsql --with-pgsql --with-sqlite3 --with-pdo-sqlite --with-webp --with-jpeg --with-freetype --enable-sigchild --with-readline --with-pcre-jit --with-iconv

Operating System:

Ubuntu 20.04 Host, Docker 0599jiangyc/flowfusion:latest

This report is automatically generated by FlowFusion

PHP Version

nightly

Operating System

No response

[devnexen]

Looks like a control flow bug in _php_iconv_mime_decode(); the error paths goto out past zend_end_try(), leaving EG(bailout) pointing to a stale stack jmp_buf. Any
subsequent zend_bailout() would then longjmp into garbage.

Note: _php_iconv_mime_encode() seems to have the same issue.