oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: PHP substr_replace() use-after-free

From: Eugene Teo <eugene () redhat com>
Date: Sun, 13 Mar 2011 23:27:29 +0800
On 03/13/2011 10:00 PM, Felipe Pena wrote:

Hi,

I just found an use-after-free in PHP's substr_replace() function caused by
passing the same variable multiple times to the function, which makes the
PHP to use the same pointer in three variables inside the function, so when
the pointer is changed by a type conversion inside the function, it invalids
the other variables.

The PHP security team has seen noticed, and a bug already was filed in the
bugtracker (http://bugs.php.net/bug.php?id=54238 [private])

$ sapi/cli/php ../bug.php
array(1) {
[0]=>
string(5) "0Ȅ y"
}
array(1) {
[0]=>
string(1) "0"
}


Please use CVE-2011-1148.

--
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }
Previous By Date Next
Previous By Thread Next

Current thread: