CVE-2019-3561 – Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory ( 30th Apr 2019)

Preface: The software reads data past the end, or before the beginning, of the intended buffer. It may allow access to sensitive memory. This is so called “out of bounds read”.

Technical background: HHVM is an open-source virtual machine designed for executing programs written in Hack and PHP. HHVM uses a just-in-time (JIT) compilation approach to achieve superior performance. HHVM is developed by Facebook, so software developer for Facebook will select this technology.

Vulnerability details: Insufficient boundary checks for the strrpos and strripos functions allow access to out-of-bounds memory.

Impact: This affects all supported versions of HHVM (4.0.3, 3.30.4, and 3.27.7 and below).

Facebook HHVM release resolution via following link: https://github.com/facebook/hhvm/commit/46003b4ab564b2abcd8470035fc324fe36aa8c75

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.