php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #53273 mb_strcut() returns garbage with the excessive length parameter
Submitted: 2010-11-09 04:11 UTC Modified: 2010-11-22 15:27 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: moriyoshi@php.net Assigned: moriyoshi
Status: Closed Package: mbstring related
PHP Version: 5.3 and above. OS: Irrelevant
Private report: No CVE-ID: 2010-4156
 [2010-11-09 04:11 UTC] moriyoshi@php.net
Description:
------------
mb_strcut() returns garbage when the following conditions are met:

1. The value specified to length parameter exceeds the length of the subject 
string.
2. mbstring.internal_encoding is set to some single-byte encoding.

The garbage may consist of uncleared part of the heap that has previously been 
used for some purpose, which could lead to unexpected information exposure.

This bug was originally reported by Mateusz Kocielski.


Test script:
---------------
<?php
$b = "bbbbbbbbbbb";
str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1);
$var3 = mb_strcut($b, 0, 1000);
echo $var3;
?>


Expected result:
----------------
bbbbbbbbbbb

Actual result:
--------------
bbbbbbbbbbb??????D$Ј=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T 
IT??g?1@?=m?(?=m???=m?p?=m?var3

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-09 04:22 UTC] moriyoshi@php.net
-PHP Version: Irrelevant +PHP Version: 5.3 and above.
 [2010-11-09 04:23 UTC] moriyoshi@php.net
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=305214
Log: - Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter).
 [2010-11-09 09:47 UTC] aharvey@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: moriyoshi
 [2010-11-09 09:47 UTC] aharvey@php.net
Is there anything else that needs to be done besides the earlier commit?
 [2010-11-10 15:51 UTC] pajoye@php.net
-Status: Assigned +Status: Closed
 [2010-11-10 15:51 UTC] pajoye@php.net
CVE-2010-4156 assigned to this issue.
 [2010-11-16 21:30 UTC] felipe@php.net
-CVE-ID: +CVE-ID: 2010-4156
 [2010-11-22 15:27 UTC] felipe@php.net
-Type: Bug +Type: Security
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 03:01:55 2014 UTC