CVE-2020-1919

Name of the Vulnerable Software and Affected Versions: HHVM versions prior to 4.56.3 HHVM versions 4.57.0 through 4.80.1 HHVM versions 4.81.0 through 4.93.1 HHVM versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0

Description: The issue is caused by incorrect bounds calculations in the substr compare function, which can lead to an out-of-bounds read when the second string argument passed in is longer than the first.

Recommendations: For versions prior to 4.56.3, update to version 4.56.3 or later. For versions 4.57.0 through 4.80.1, update to version 4.80.2 or later. For versions 4.81.0 through 4.93.1, update to version 4.93.2 or later. For versions 4.94.0, 4.95.0, 4.96.0, 4.97.0, 4.98.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the length of the second string argument passed to the substr compare function to prevent out-of-bounds reads.