oss-sec mailing list archives
Re: CVE request: PHP substr_replace() use-after-free
From: Felipe Pena <felipensp () gmail com>
Date: Sun, 13 Mar 2011 15:41:55 -0300
2011/3/13 Oden Eriksson <oeriksson () mandriva com>
söndagen den 13 mars 2011 15.00.10 skrev Felipe Pena:Hi, I just found an use-after-free in PHP's substr_replace() function causedbypassing the same variable multiple times to the function, which makes the PHP to use the same pointer in three variables inside the function, sowhenthe pointer is changed by a type conversion inside the function, it invalids the other variables. The PHP security team has seen noticed, and a bug already was filed inthebugtracker (http://bugs.php.net/bug.php?id=54238 [private]) $ sapi/cli/php ../bug.php array(1) { [0]=> string(5) "0Ȅ y" } array(1) { [0]=> string(1) "0" } Thanks.It seems only 5.2 is affected because I couldn't reproduce it on 5.3. Or?
It affects 5.2, 5.3 and even trunk. I can reproduce it in all the branches. -- Regards, Felipe Pena
Current thread:
- CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Eugene Teo (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Oden Eriksson (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Vincent Danen (Mar 18)
- Re: CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)