Created attachment 332757 [details] Patch fixing the double free problem (backported from php-snap) Description of problem: Reproducible php mbstring module segmentation fault when not supported charset is used. Version-Release number of selected component (if applicable): 4.3.9-3.9.1 and above How reproducible: Always 1. Install php-mbstring module 2. Execute this php script (through apache or cli): <?php $str = "\357\277\357\277\275\357\277\275\357\277\275\357\277\275"; $charset = mb_detect_encoding($str , "WINDOWS-1255,ASCII"); echo "detect $charset\n"; $str = mb_convert_encoding($str, "UTF-8", $charset); echo "convert %str\n"; 3. Actual result: PHP Warning: mb_detect_encoding(): Illegal argument in - on line 3 Content-type: text/html detect UTF-8 convert %str *** glibc detected *** double free or corruption (fasttop): 0x00000000008c8b00 *** Aborted Expected result: PHP Warning: mb_detect_encoding(): Illegal argument in - on line 3 Content-type: text/html detect UTF-8 convert %str Additional info: Php bug report: http://bugs.php.net/bug.php?id=47245
This is is CVE-2008-5557 which was fixed in: http://rhn.redhat.com/errata/RHBA-2009-1013.html
This bug was not really fixed in that errata. Created a clone to track fixing in future: Bug #657538