Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Mar 2011 11:00:10 -0300
From: Felipe Pena <>
Subject: CVE request: PHP substr_replace() use-after-free


I just found an use-after-free in PHP's substr_replace() function caused by
passing the same variable multiple times to the function, which makes the
PHP to use the same pointer in three variables inside the function, so when
the pointer is changed by a type conversion inside the function, it invalids
the other variables.

The PHP security team has seen noticed, and a bug already was filed in the
bugtracker ( [private])

$ sapi/cli/php ../bug.php
array(1) {
string(5) "0Ȅ y"
array(1) {
string(1) "0"


Felipe Pena

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.