oss-sec mailing list archives
CVE Request: use after free in PHP 5.6 and 7 (possibly others)
From: Brian Carpenter <brian.carpenter () gmail com>
Date: Thu, 16 Jul 2015 01:24:02 -0500
Bug Report: https://bugs.php.net/bug.php?id=70083 Fixed in PHP 5.6: http://git.php.net/?p=php-src.git;a=commitdiff;h=f57cb13c566613eec0e1c2f6d96d18565436a9b7 Fixed in 7: http://git.php.net/?p=php-src.git;a=commit;h=0af07333520f65def3a72f31effa38c907e962f9 This bug may also affect PHP 5.0.4, 5.0.5, 5.1.0-5.1.6, 5.4.0-5.5.26 (based on 3v4l.org responses), triggered by this unminimized test case which wasn't included in the original bug report: <?php class wpq { private $unrenced; public function __get($name) { return $this; } } function ret_assoc() { return array('Roo' => 'bar'); } $wpq = new wpq; $wpq->interesting =& ret_assoc(); $x +@$wpq->interesting; printf("%s\n", $x); Regards, Brian 'geeknik' Carpenter https://twitter.com/geeknik
Current thread:
- CVE Request: use after free in PHP 5.6 and 7 (possibly others) Brian Carpenter (Jul 15)
- Re: CVE Request: use after free in PHP 5.6 and 7 (possibly others) Mark Felder (Jul 16)