Skip to content
Permalink
Browse files Browse the repository at this point in the history
ext_mbstring: Fix invalid free() in php_mb_parse_encoding
Summary:
A chunk of memory allocated by 'req::calloc_noptrs' was being freed by 'free'. The former internally calls 'calloc' and returns a pointer at an index sizeof(MallocNode) inside the allocated buffer. This led to freeing invalid memory.

CVE-2019-11930

Reviewed By: jjergus

Differential Revision: D18179908

fbshipit-source-id: 0e3fe77628e0b9dee8361e712b8abac59ae5ed22
  • Loading branch information
DhavalKapil authored and facebook-github-bot committed Oct 29, 2019
1 parent a7f1fd5 commit 524d2e6
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 1 deletion.
2 changes: 1 addition & 1 deletion hphp/runtime/ext/mbstring/ext_mbstring.cpp
Expand Up @@ -908,7 +908,7 @@ static bool php_mb_parse_encoding(const Variant& encoding,
}
if (!ret) {
if (return_list && *return_list) {
free(*return_list);
req::free(*return_list);
*return_list = nullptr;
}
return_size = 0;
Expand Down
7 changes: 7 additions & 0 deletions hphp/test/slow/ext_mb/mb_detect_order_t54638796.php
@@ -0,0 +1,7 @@
<?hh
// Copyright 2004-present Facebook. All Rights Reserved.

<<__EntryPoint>>
function main() {
var_dump(mb_detect_order("UTF-8,\x2c"));
}
1 change: 1 addition & 0 deletions hphp/test/slow/ext_mb/mb_detect_order_t54638796.php.expect
@@ -0,0 +1 @@
bool(false)

0 comments on commit 524d2e6

Please sign in to comment.