PHP :: Bug #3812 :: urlencode not bin-safe

Bug #3812	urlencode not bin-safe
Submitted:	2000-03-12 08:06 UTC	Modified:	2002-09-30 17:53 UTC
From:	baumert at pilot-webdesign dot de	Assigned:
Status:	Closed	Package:	Reproducible Crash
PHP Version:	3.0.15	OS:	Linux Redhat 5.2, 2.0.36, glibc2
Private report:	No	CVE-ID:	None

View Developer Edit

[2000-03-12 08:06 UTC] baumert at pilot-webdesign dot de

The urlencode function is not binary safe. It retrieves the length of the string to encode as a parameter,
then uses strlen to allocate the new buffer. Strlen returns wrong length for the bin-string.
After that, the len-parameter is used to fill the buffer => a buffer-overwrite occurs.

php 4 beta 4 pl1:

change line 241 from 
      str = (unsigned char *) emalloc(3 * strlen(s) + 1);
to 
      str = (unsigned char *) emalloc(3 * len + 1);

php 3.15

change line 242 from
  str = (unsigned char *) emalloc(3 * strlen(s) + 1);
to
  str = (unsigned char *) emalloc(3 * len + 1);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-09-30 17:53 UTC] hholzgra@php.net

this is ok in php 4.2.3 code

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Oct 26 23:00:02 2025 UTC