Edit report at http://bugs.php.net/bug.php?id=53273&edit=1
ID: 53273 Updated by: [email protected] Reported by: [email protected] Summary: mb_strcut() returns garbage with the excessive length parameter -Status: Open +Status: Assigned Type: Bug Package: mbstring related Operating System: Irrelevant PHP Version: 5.3 and above. -Assigned To: +Assigned To: moriyoshi Block user comment: N New Comment: Is there anything else that needs to be done besides the earlier commit? Previous Comments: ------------------------------------------------------------------------ [2010-11-09 04:23:06] [email protected] Automatic comment from SVN on behalf of moriyoshi Revision: http://svn.php.net/viewvc/?view=revision&revision=305214 Log: - Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter). ------------------------------------------------------------------------ [2010-11-09 04:11:56] [email protected] Description: ------------ mb_strcut() returns garbage when the following conditions are met: 1. The value specified to length parameter exceeds the length of the subject string. 2. mbstring.internal_encoding is set to some single-byte encoding. The garbage may consist of uncleared part of the heap that has previously been used for some purpose, which could lead to unexpected information exposure. This bug was originally reported by Mateusz Kocielski. Test script: --------------- <?php $b = "bbbbbbbbbbb"; str_repeat("THIS IS A SECRET MESSAGE, ISN'T IT?", 1); $var3 = mb_strcut($b, 0, 1000); echo $var3; ?> Expected result: ---------------- bbbbbbbbbbb Actual result: -------------- bbbbbbbbbbb??????D$Ð=m???=m?(?=m?`?=m??5<m??=m?THIS IS A SECRET MESSAGE, ISN'T it??...@?=m?(?=m???=m?p?=m?var3 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=53273&edit=1
