Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
to your account
The following input demonstrates a use after free bug in str_replace which occurs if the string is replaced with itself:
a = "A"*50
b = "B"*50
This code prints BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB when it should print AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.
This happens because the string buffer is freed here:
It is then copied here, after which it can continue to be used:
This issue was reported by https://hackerone.com/tunz
The text was updated successfully, but these errors were encountered:
No branches or pull requests