Bug 486660 - Reproducible double free and abort with php mbstring module
Reproducible double free and abort with php mbstring module
Status: CLOSED DEFERRED
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php (Show other bugs)
4.7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Joe Orton
BaseOS QE
:
Depends On:
Blocks: 657538
  Show dependency treegraph
 
Reported: 2009-02-20 16:10 EST by Arturas Moskvinas
Modified: 2010-11-26 07:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 657538 (view as bug list)
Environment:
Last Closed: 2010-03-28 16:36:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch fixing the double free problem (backported from php-snap) (631 bytes, patch)
2009-02-20 16:10 EST, Arturas Moskvinas
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
PHP Bug Tracker 47245 None None None Never

  None (edit)
Description Arturas Moskvinas 2009-02-20 16:10:35 EST
Created attachment 332757 [details]
Patch fixing the double free problem (backported from php-snap)

Description of problem:
Reproducible php mbstring module segmentation fault when not supported charset
is used.

Version-Release number of selected component (if applicable):
4.3.9-3.9.1
and above

How reproducible:
Always

1. Install php-mbstring module
2. Execute this php script (through apache or cli):
<?php
  $str = "\357\277\357\277\275\357\277\275\357\277\275\357\277\275";
  $charset = mb_detect_encoding($str , "WINDOWS-1255,ASCII");
  echo "detect $charset\n";
  $str = mb_convert_encoding($str, "UTF-8", $charset);
  echo "convert %str\n";

3. 

Actual result:
PHP Warning:  mb_detect_encoding(): Illegal argument in - on line 3
Content-type: text/html

detect UTF-8
convert %str
*** glibc detected *** double free or corruption (fasttop): 0x00000000008c8b00 ***
Aborted


Expected result:
PHP Warning:  mb_detect_encoding(): Illegal argument in - on line 3
Content-type: text/html

detect UTF-8
convert %str

Additional info:
Php bug report: http://bugs.php.net/bug.php?id=47245
Comment 1 Joe Orton 2010-03-28 16:36:40 EDT
This is is CVE-2008-5557 which was fixed in:

http://rhn.redhat.com/errata/RHBA-2009-1013.html
Comment 2 David Kutálek 2010-11-26 07:10:15 EST
This bug was not really fixed in that errata.
Created a clone to track fixing in future: Bug #657538

Note You need to log in before you can comment on or make changes to this bug.