|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71606 Segmentation fault mb_strcut with HTML-ENTITIES encoding
Submitted: 2016-02-16 07:48 UTC Modified: 2017-07-23 10:17 UTC
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: imbolk at gmail dot com Assigned:
Status: Closed Package: mbstring related
PHP Version: 5.6.18 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
32 - 8 = ?
Subscribe to this entry?

 [2016-02-16 07:48 UTC] imbolk at gmail dot com
Segmentation fault in code mb_strcut+mb_list_encodings

Test script:
echo mb_strcut('"', 0, 0, 'HTML-ENTITIES');

Expected result:
list of encodings

Actual result:
Segmentation fault


fix-71606 (last revision 2016-07-30 22:41 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-30 11:39 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2016-07-30 11:39 UTC]
Confirmed: <>. Seems to affect PHP 5 only.
 [2016-07-30 22:41 UTC]
The following patch has been added/updated:

Patch Name: fix-71606
Revision:   1469918484
 [2016-07-30 22:41 UTC]
-Type: Bug +Type: Security -Assigned To: cmb +Assigned To: -Private report: No +Private report: Yes
 [2016-07-30 22:41 UTC]
The segfault[1] is caused by double frees in mbfl_strcut()[2]
where filters are copied to backups. However, the HTML decoding
filter uses the `opaque` member of mbfl_convert_filter[3] as
buffer, so this buffer is later freed multiple times, because
there is no proper copy constructor[4] defined.

The attached patch solves this issue for PHP-5.6 (merging upward
till master doesn't conflict). A respective fix should also be
applied to <>.

This issue might be exploitable, so I'm switching to sec bug.

[1] With a debug build invalid frees are reported by ZendMM.
[2] <>
[3] <>
[4] <>
 [2016-08-07 23:33 UTC]
-Assigned To: +Assigned To: hirokawa
 [2016-11-27 14:20 UTC]
-Assigned To: hirokawa +Assigned To: cmb
 [2016-11-27 14:20 UTC]
Re-assign since hirokawa doesn't have security permissions
 [2016-11-27 22:59 UTC]
I don't see how this can be exploitable, could you explain?
 [2016-11-28 10:14 UTC]
It seems that *every* time mb_strcut() is called with $encoding =
'HTML-ENTITIES', there will be double-frees. I can't assess the
severity of these double-frees (might be harmless in all cases).
 [2017-06-21 08:37 UTC]
-Assigned To: cmb +Assigned To:
 [2017-07-23 10:11 UTC]
-Type: Security +Type: Bug
 [2017-07-23 10:17 UTC]
-Summary: Segmentation fault mb_strcut + mb_list_encodings +Summary: Segmentation fault mb_strcut with HTML-ENTITIES encoding
 [2017-07-23 10:23 UTC]
Automatic comment on behalf of cmb
Log: Fix #71606: Segmentation fault mb_strcut with HTML-ENTITIES
 [2017-07-23 10:23 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Feb 25 14:01:26 2024 UTC