oss-sec mailing list archives
Re: CVE request: PHP substr_replace() use-after-free
From: Oden Eriksson <oeriksson () mandriva com>
Date: Sun, 13 Mar 2011 19:33:32 +0100
söndagen den 13 mars 2011 15.00.10 skrev Felipe Pena:
Hi, I just found an use-after-free in PHP's substr_replace() function caused by passing the same variable multiple times to the function, which makes the PHP to use the same pointer in three variables inside the function, so when the pointer is changed by a type conversion inside the function, it invalids the other variables. The PHP security team has seen noticed, and a bug already was filed in the bugtracker (http://bugs.php.net/bug.php?id=54238 [private]) $ sapi/cli/php ../bug.php array(1) { [0]=> string(5) "0Ȅ y" } array(1) { [0]=> string(1) "0" } Thanks.
It seems only 5.2 is affected because I couldn't reproduce it on 5.3. Or? -- Regards // Oden Eriksson Security team manager - Mandriva CEO NUX AB
Current thread:
- CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Eugene Teo (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Oden Eriksson (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Vincent Danen (Mar 18)
- Re: CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)