go to bug id or search bugs for
Segmentation fault in code mb_strcut+mb_list_encodings
echo mb_strcut('"', 0, 0, 'HTML-ENTITIES');
list of encodings
Add a Patch
Add a Pull Request
Confirmed: <https://3v4l.org/mkXHU>. Seems to affect PHP 5 only.
The following patch has been added/updated:
Patch Name: fix-71606
The segfault is caused by double frees in mbfl_strcut()
where filters are copied to backups. However, the HTML decoding
filter uses the `opaque` member of mbfl_convert_filter as
buffer, so this buffer is later freed multiple times, because
there is no proper copy constructor defined.
The attached patch solves this issue for PHP-5.6 (merging upward
till master doesn't conflict). A respective fix should also be
applied to <https://github.com/moriyoshi/libmbfl>.
This issue might be exploitable, so I'm switching to sec bug.
 With a debug build invalid frees are reported by ZendMM.
Re-assign since hirokawa doesn't have security permissions
I don't see how this can be exploitable, could you explain?
It seems that *every* time mb_strcut() is called with $encoding =
'HTML-ENTITIES', there will be double-frees. I can't assess the
severity of these double-frees (might be harmless in all cases).
Automatic comment on behalf of cmb
Log: Fix #71606: Segmentation fault mb_strcut with HTML-ENTITIES