Summary

A global buffer over-read exists in mbfl_name2encoding_ex() (ext/mbstring/libmbfl/mbfl/mbfl_encoding.c, line 352), called from mb_convert_encoding(...) and other mbstring functions, when parsing encoding names with embedded NUL bytes.

Root Cause

In mbfl_name2encoding_ex, the MIME name search loop (line 352) uses:

if (strncasecmp((*encoding)->mime_name, name, name_len) == 0 && (*encoding)->mime_name[name_len] == '\0') {

When name contains an embedded NUL byte (e.g., "UTF-8\x00AAAA..."), strncasecmp returns 0 after matching up to the NUL (since both strings have NUL at the same position). The subsequent check (*encoding)->mime_name[name_len] then reads at offset name_len (e.g., 22) from mime_name, which is only 6 bytes long ("UTF-8\0"). This reads 16+ bytes past the end of the global string into adjacent global memory.

The same issue exists on lines 362 for encoding aliases.

Minimal Reproducer