oss-sec mailing list archives
Re: CVE request: PHP substr_replace() use-after-free
From: Vincent Danen <vdanen () redhat com>
Date: Fri, 18 Mar 2011 10:28:17 -0600
* [2011-03-13 15:41:55 -0300] Felipe Pena wrote:
2011/3/13 Oden Eriksson <oeriksson () mandriva com>söndagen den 13 mars 2011 15.00.10 skrev Felipe Pena: > Hi, > > I just found an use-after-free in PHP's substr_replace() function caused by > passing the same variable multiple times to the function, which makes the > PHP to use the same pointer in three variables inside the function, so when > the pointer is changed by a type conversion inside the function, it > invalids the other variables. > > The PHP security team has seen noticed, and a bug already was filed in the > bugtracker (http://bugs.php.net/bug.php?id=54238 [private]) > > $ sapi/cli/php ../bug.php > array(1) { > [0]=> > string(5) "0?? y" > } > array(1) { > [0]=> > string(1) "0" > } > > > Thanks. It seems only 5.2 is affected because I couldn't reproduce it on 5.3. Or?It affects 5.2, 5.3 and even trunk. I can reproduce it in all the branches.
Do you have a reproducer for this issue that you could share? The bug is still private. Thanks. --Vincent Danen / Red Hat Security Response Team
Current thread:
- CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Eugene Teo (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Oden Eriksson (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)
- Re: CVE request: PHP substr_replace() use-after-free Vincent Danen (Mar 18)
- Re: CVE request: PHP substr_replace() use-after-free Felipe Pena (Mar 13)