| commit | 524d2e60cfe910406ec6109e4286d7edd545ab36 | |
| author | Dhaval Kapil <dhavalkapil@fb.com> | |
| Tue, 29 Oct 2019 06:06:25 +0000 (28 23:06 -0700) | ||
| committer | Facebook Github Bot <facebook-github-bot@users.noreply.github.com> | |
| Tue, 29 Oct 2019 06:08:20 +0000 (28 23:08 -0700) | ||
| tree | 5973c1b114479e696bf089e03f211b88c75767e1 | treesnapshot (tar.gz zip) |
| parent | a7f1fd5afba9c8f7ffe22722c842adb0d3377979 | commitdiff |
ext_mbstring: Fix invalid free() in php_mb_parse_encoding
Summary:
A chunk of memory allocated by 'req::calloc_noptrs' was being freed by 'free'. The former internally calls 'calloc' and returns a pointer at an index sizeof(MallocNode) inside the allocated buffer. This led to freeing invalid memory.
CVE-2019-11930
Reviewed By: jjergus
Differential Revision: D18179908
fbshipit-source-id: 0e3fe77628e0b9dee8361e712b8abac59ae5ed22
Summary:
A chunk of memory allocated by 'req::calloc_noptrs' was being freed by 'free'. The former internally calls 'calloc' and returns a pointer at an index sizeof(MallocNode) inside the allocated buffer. This led to freeing invalid memory.
CVE-2019-11930
Reviewed By: jjergus
Differential Revision: D18179908
fbshipit-source-id: 0e3fe77628e0b9dee8361e712b8abac59ae5ed22
| hphp/runtime/ext/mbstring/ext_mbstring.cpp | diffblobblamehistory | |
| hphp/test/slow/ext_mb/mb_detect_order_t54638796.php | [new file with mode: 0644] | blob |
| hphp/test/slow/ext_mb/mb_detect_order_t54638796.php.expect | [new file with mode: 0644] | blob |