|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2010-11-09 04:22 UTC] [email protected]
-PHP Version: Irrelevant
+PHP Version: 5.3 and above.
[2010-11-09 04:23 UTC] [email protected]
[2010-11-09 09:47 UTC] [email protected]
-Status: Open
+Status: Assigned
-Assigned To:
+Assigned To: moriyoshi
[2010-11-09 09:47 UTC] [email protected]
[2010-11-10 15:51 UTC] [email protected]
-Status: Assigned
+Status: Closed
[2010-11-10 15:51 UTC] [email protected]
[2010-11-16 21:30 UTC] [email protected]
-CVE-ID:
+CVE-ID: 2010-4156
[2010-11-22 15:27 UTC] [email protected]
-Type: Bug
+Type: Security
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Jul 24 08:00:03 2025 UTC |
Description: ------------ mb_strcut() returns garbage when the following conditions are met: 1. The value specified to length parameter exceeds the length of the subject string. 2. mbstring.internal_encoding is set to some single-byte encoding. The garbage may consist of uncleared part of the heap that has previously been used for some purpose, which could lead to unexpected information exposure. This bug was originally reported by Mateusz Kocielski. Test script: --------------- <?php $b = "bbbbbbbbbbb"; str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1); $var3 = mb_strcut($b, 0, 1000); echo $var3; ?> Expected result: ---------------- bbbbbbbbbbb Actual result: -------------- bbbbbbbbbbb??????D$Ј=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T IT??g?1@?=m?(?=m???=m?p?=m?var3