php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #54238 use-after-free in substr_replace()
Submitted: 2011-03-13 02:29 UTC Modified: 2011-04-13 08:34 UTC
From: felipe@php.net Assigned: stas (profile)
Status: Closed Package: Strings related
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: 2011-1148
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: felipe@php.net
New email:
PHP Version: OS:

 

 [2011-03-13 02:29 UTC] felipe@php.net 
Description:
------------
Caused by passing the same variable multiple times to the function, which makes a convert_to_<type>_ex() call to invalid the each pointer of parameter.

Test script:
---------------
<?php

$f = array(array('A', 'A'));

$z = substr_replace($f, $f, $f, 1);
var_dump($z, $f);

Actual result:
--------------
array(1) {
  [0]=>
  string(5) "0Dd	y"
}
array(1) {
  [0]=>
  string(1) "0"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-13 18:51 UTC] felipe@php.net
-CVE-ID: +CVE-ID: 2011-1148
 [2011-04-13 08:33 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2011-04-13 08:33 UTC] stas@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 04:00:02 2025 UTC