Please sign in to comment.
Use req::strndup in php_mb_parse_encoding_list to prevent oob memory …
…write. Summary: Fix out of bounds write access in mb_detect_encoding. Using strndup in php_mb_parse_encoding_list will cause strings with embedded nulls to be unexpectedly shortened. The expected length of the string is tracked in value_length but since strndup may copy fewer characters when there are mbedded null this can lead to oob writes into tmpstr. I've found a couple other places in this file that use strndup and replaced them with req::strndup as well. The use of strndup in mb_send_mail also seemed to be a leak. This replaces uses of strndup with req::strndup which can handle embedded nulls properly. It looks like I also accidentally fixed t11337047 at the same time. Adding it to the list of tasks. Reviewed By: paulbiss Differential Revision: D3360065 fbshipit-source-id: 99776cf9105e3789883380bf30240009eec52cec
- Loading branch information...
Showing with 16 additions and 7 deletions.
|@@ -0,0 +1,6 @@|
|<?hh // strict|
|// Copyright 2004-present Facebook. All Rights Reserved.|
|$var0 = null;|
|$var3 = "\x00";|
|$var3 = mb_detect_encoding($var0,$var3);|