Buffer overflow in Facebook Hhvm

CVE-2020-1916

An incorrect size calculation in ldap_escape may lead to an integer overflow when overly long input is passed in, resulting in an out-of-bounds write. This issue affects HHVM prior to 4.56.2, all versions between 4.57.0 and 4.78.0, 4.79.0…

Vulnerability class: Buffer Overflow

EPSS: 0.008 (74.5th percentile) — read the EPSS interpretation.

Affected products

Facebook Hhvm — versions 4.83.1, 4.83.0, 4.82.1

Weakness classification (CWE)

CWE-122 — Heap-based Buffer Overflow

References

hhvm.com/blog/2020/11/12/security-update.html (x_refsource_CONFIRM)
github.com/facebook/hhvm/commit/abe0b29e4d3a610f9bc920b8be4ad8403364c2d4 (x_refsource_MISC)