oss-sec mailing list archives

Re: CVE request: PHP substr_replace() use-after-free

From: Felipe Pena <felipensp () gmail com>
Date: Sun, 13 Mar 2011 15:41:55 -0300

2011/3/13 Oden Eriksson <oeriksson () mandriva com>

söndagen den 13 mars 2011 15.00.10 skrev  Felipe Pena:

Hi,

I just found an use-after-free in PHP's substr_replace() function caused

by

passing the same variable multiple times to the function, which makes the
PHP to use the same pointer in three variables inside the function, so

when

the pointer is changed by a type conversion inside the function, it
invalids the other variables.

The PHP security team has seen noticed, and a bug already was filed in

the

bugtracker (http://bugs.php.net/bug.php?id=54238 [private])

$ sapi/cli/php ../bug.php
array(1) {
[0]=>
string(5) "0Ȅ y"
}
array(1) {
[0]=>
string(1) "0"
}


Thanks.


It seems only 5.2 is affected because I couldn't reproduce it on 5.3. Or?

It affects 5.2, 5.3 and even trunk. I can reproduce it in all the branches.

-- 
Regards,
Felipe Pena

Current thread:

CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Eugene Teo (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Oden Eriksson (Mar 13)
  - Re: CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
    - Re: CVE request: PHP substr_replace() use-after-free Vincent Danen (Mar 18)