php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #50226 [PATCH] - Insufficient memory allocation for unicode string
Submitted: 2009-11-19 10:03 UTC Modified: 2009-11-24 11:08 UTC
From: yoarvi at gmail dot com Assigned:
Status: Closed Package: *Unicode Issues
PHP Version: 6SVN-2009-11-19 (SVN) OS: Solaris 5.10 (SPARC)
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2009-11-19 10:03 UTC] yoarvi at gmail dot com 
Description:
------------
ext/standard/string.c:3460 allocates only 1 extra byte for the terminating null
		str.u = safe_emalloc(2, UBYTES(old_len), 1);

but then assigns a null at line 3482 using 
		*q.u = 0;
which writes 2 bytes.

The following patch fixes the problem:

Index: ext/standard/string.c
===================================================================
--- ext/standard/string.c	(revision 290968)
+++ ext/standard/string.c	(working copy)
@@ -3457,7 +3457,7 @@
 
 	if (type == IS_UNICODE) {
 		old_end.u = old.u + old_len;
-		str.u = safe_emalloc(2, UBYTES(old_len), 1);
+		str.u = safe_emalloc(2, UBYTES(old_len), UBYTES(1));
 
 		for (p.u = old.u, q.u = str.u; p.u != old_end.u; p.u++) {
 			cp = *p.u;


Reproduce code:
---------------
./configure --enable-debug

% sapi/cli/php ext/standard/tests/strings/quotemeta_basic.php


Expected result:
----------------
*** Testing quotemeta() : basic functionality ***
unicode(20) "Hello how are you \?"
unicode(19) "\(100 \+ 50\) \* 10"
unicode(20) "\\\+\*\?\[\^\]\(\$\)"


Actual result:
--------------
*** Testing quotemeta() : basic functionality ***
unicode(20) "Hello how are you \?"
unicode(19) "\(100 \+ 50\) \* 10"
[Thu Nov 19 15:35:30 2009]  Script:  'ext/standard/tests/strings/quotemeta_basic.php'
---------------------------------------
/home/arvi/php-trunk/ext/standard/string.c(3483) : Block 0x0969aed4 status:
Beginning:  	OK (allocated on /home/arvi/php-trunk/ext/standard/string.c:3460, 41 bytes)
    Start:	OK
      End:	Overflown (magic=0x00000000 instead of 0x2C8088DB)
          	1 byte(s) overflown
---------------------------------------
unicode(20) ""
[Thu Nov 19 15:35:30 2009]  Script:  'ext/standard/tests/strings/quotemeta_basic.php'
/home/arvi/php-trunk/ext/standard/string.c(3460) :  Freeing 0x0969AED4 (41 bytes), script=ext/standard/tests/strings/quotemeta_basic.php
/home/arvi/php-trunk/Zend/zend_alloc.c(2446) : Actual location (location was relayed)
=== Total 1 memory leaks detected ===

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-24 11:08 UTC] svn@php.net 
Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=291259
Log: Fixed #50226 (Insufficient memory allocation for unicode string)
 - Patch by yoarvi at gmail dot com
 [2009-11-24 11:08 UTC] kalle@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 04:01:28 2024 UTC