Negative size parameter in mb_split

Disclosed: 2020-11-09 01:48:52 By haquaman To ibb

Critical

Vulnerability Details

https://bugs.php.net/bug.php?id=77367 mb_split doesn't correctly detect the length when the $string has an unfinished multibyte character at the end of the string. This causes a crash due to a negative parameter to add_next_index_stringl, which calls zend_string_init and memcpy. Could reproduce on master. ## Impact This could be used to cause memory corruption/leakage.

Actions

View on HackerOne

Report Stats

Report ID: 476178
State: Closed
Substate: resolved
Upvotes: 2

Negative size parameter in mb_split

Vulnerability Details

Actions

Report Stats

Share this report