|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #53273 mb_strcut() returns garbage with the excessive length parameter
Submitted: 2010-11-09 04:11 UTC Modified: 2010-11-22 15:27 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: Assigned: moriyoshi (profile)
Status: Closed Package: mbstring related
PHP Version: 5.3 and above. OS: Irrelevant
Private report: No CVE-ID: 2010-4156
 [2010-11-09 04:11 UTC]
mb_strcut() returns garbage when the following conditions are met:

1. The value specified to length parameter exceeds the length of the subject 
2. mbstring.internal_encoding is set to some single-byte encoding.

The garbage may consist of uncleared part of the heap that has previously been 
used for some purpose, which could lead to unexpected information exposure.

This bug was originally reported by Mateusz Kocielski.

Test script:
$b = "bbbbbbbbbbb";
str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
$var3 = mb_strcut($b, 0, 1000);
echo $var3;

Expected result:

Actual result:
bbbbbbbbbbb??????D$Ј=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-09 04:22 UTC]
-PHP Version: Irrelevant +PHP Version: 5.3 and above.
 [2010-11-09 04:23 UTC]
Automatic comment from SVN on behalf of moriyoshi
Log: - Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter).
 [2010-11-09 09:47 UTC]
-Status: Open +Status: Assigned -Assigned To: +Assigned To: moriyoshi
 [2010-11-09 09:47 UTC]
Is there anything else that needs to be done besides the earlier commit?
 [2010-11-10 15:51 UTC]
-Status: Assigned +Status: Closed
 [2010-11-10 15:51 UTC]
CVE-2010-4156 assigned to this issue.
 [2010-11-16 21:30 UTC]
-CVE-ID: +CVE-ID: 2010-4156
 [2010-11-22 15:27 UTC]
-Type: Bug +Type: Security
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 01:01:31 2024 UTC