mb_strcut() returns garbage with the excessive length parameter
| Sec Bug #53273 | mb_strcut() returns garbage with the excessive length parameter | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Submitted: | 2010-11-09 04:11 UTC | Modified: | 2010-11-22 15:27 UTC |
|
||||||
| From: | moriyoshi@php.net | Assigned: | moriyoshi (profile) | |||||||
| Status: | Closed | Package: | mbstring related | |||||||
| PHP Version: | 5.3 and above. | OS: | Irrelevant | |||||||
| Private report: | No | CVE-ID: | 2010-4156 | |||||||
[2010-11-09 04:11 UTC] moriyoshi@php.net
Description:
------------
mb_strcut() returns garbage when the following conditions are met:
1. The value specified to length parameter exceeds the length of the subject
string.
2. mbstring.internal_encoding is set to some single-byte encoding.
The garbage may consist of uncleared part of the heap that has previously been
used for some purpose, which could lead to unexpected information exposure.
This bug was originally reported by Mateusz Kocielski.
Test script:
---------------
<?php
$b = "bbbbbbbbbbb";
str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
$var3 = mb_strcut($b, 0, 1000);
echo $var3;
?>
Expected result:
----------------
bbbbbbbbbbb
Actual result:
--------------
bbbbbbbbbbb??????D$Ј=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T
IT??g?1@?=m?(?=m???=m?p?=m?var3
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2010-11-09 04:22 UTC] moriyoshi@php.net
-PHP Version: Irrelevant +PHP Version: 5.3 and above.
[2010-11-09 09:47 UTC] aharvey@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: moriyoshi
[2010-11-09 09:47 UTC] aharvey@php.net
[2010-11-10 15:51 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
[2010-11-10 15:51 UTC] pajoye@php.net