oss-sec mailing list archives
Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption
From: Stanislav Malyshev <smalyshev () gmail com>
Date: Tue, 19 May 2015 11:19:34 -0700
Hi!
http://phpcrossref.com/xref/jpegmeta/EXIF.php.html, https://code.google.com/p/zimbra-api-php/, http://phpcrossref.com/xref/jpegmeta/XML.php.html) it is really likely that it would end up processed by one of these functions (string concatenation, for example). $makernote <http://phpcrossref.com/xref/jpegmeta/_variables/makernote.html> .= str_repeat <http://phpcrossref.com/xref/jpegmeta/_functions/str_repeat.html>("\x00",( $tiff_data <http://phpcrossref.com/xref/jpegmeta/_variables/tiff_data.html>[ 'Makernote_Tag' ][ 'Offset' ] - 8 ) );
OK, I guess with parsing external formats like EXIF it can happen, so while I'm still not sure about remote exploitation, remote triggering is a possibility, you've convinced me here. -- Stas Malyshev smalyshev () gmail com
Current thread:
- CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 19)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 19)
- Re: Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Dennis (May 19)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Andrea Palazzo (May 18)
- Re: CVE Request + Advisory: PHP str_repeat() sign mismatch based memory corruption Stanislav Malyshev (May 18)