Re: CVE request: PHP substr_replace() use-after-free

[Vincent Danen <vdanen () redhat com>]

* [2011-03-13 15:41:55 -0300] Felipe Pena wrote:

> 2011/3/13 Oden Eriksson <oeriksson () mandriva com>
>
> > söndagen den 13 mars 2011 15.00.10 skrev  Felipe Pena:
> > > Hi,
> > >
> > > I just found an use-after-free in PHP's substr_replace() function caused
> > by
> > > passing the same variable multiple times to the function, which makes the
> > > PHP to use the same pointer in three variables inside the function, so
> > when
> > > the pointer is changed by a type conversion inside the function, it
> > > invalids the other variables.
> > >
> > > The PHP security team has seen noticed, and a bug already was filed in
> > the
> > > bugtracker (http://bugs.php.net/bug.php?id=54238 [private])
> > >
> > > $ sapi/cli/php ../bug.php
> > > array(1) {
> > > [0]=>
> > > string(5) "0?? y"
> > > }
> > > array(1) {
> > > [0]=>
> > > string(1) "0"
> > > }
> > >
> > >
> > > Thanks.
> >
> > It seems only 5.2 is affected because I couldn't reproduce it on 5.3. Or?
> It affects 5.2, 5.3 and even trunk. I can reproduce it in all the branches.

Do you have a reproducer for this issue that you could share?  The bug
is still private.

Thanks.

--
Vincent Danen / Red Hat Security Response Team