PHP :: Bug #47245 :: crash following mb_detect

Bug #47245	crash following mb_detect_encoding
Submitted:	2009-01-29 21:09 UTC	Modified:	2009-01-29 23:15 UTC
From:	j at korni dot net	Assigned:
Status:	Closed	Package:	mbstring related
PHP Version:	5.2.8	OS:	Linux64
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2009-01-29 21:09 UTC] j at korni dot net

Description:
------------
mb_detect_encoding issues warning "Illegal argument", then things go bezerk. Maybe some heap corruption.

Reproduce code:
---------------
<?php
  $str = "\357\277\357\277\275\357\277\275\357\277\275\357\277\275";
  $charset = mb_detect_encoding($str , "WINDOWS-1255,ASCII");
  echo "detect $charset\n";
  $str = mb_convert_encoding($str, "UTF-8", $charset);
  echo "convert %str\n";


Expected result:
----------------
detect WINDOWS-1255
convert <some UTF8-text>

Actual result:
--------------
Warning: mb_detect_encoding(): Illegal argument in ...
detect detec    *** note the corrupted string
Segmentation fault

#0  _zend_mm_alloc_int (heap=0xbbf2b0, size=6) at /home/me/src/php-5.2.8/Zend/zend_alloc.c:1780
#1  0x000000000063f3e0 in _estrndup (s=0xd37e38 "UTF-8", length=6)
    at /home/me/src/php-5.2.8/Zend/zend_alloc.c:2435
#2  0x00000000004ed164 in php_mb_parse_encoding_list (value=0xbbf2b0 "\001", value_length=6, 
    return_list=0x7fffdec7a400, return_size=0x7fffdec7a40c, persistent=0)
    at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:367
#3  0x00000000004ee602 in php_mb_convert_encoding (input=<value optimized out>, 
    length=<value optimized out>, _to_encoding=<value optimized out>, _from_encodings=0xd37e38 "UTF-8", 
    output_len=0x7fffdec7a468) at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:2443
#4  0x00000000004eeb44 in zif_mb_convert_encoding (ht=<value optimized out>, return_value=0xd37dc0, 
    return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, 
    return_value_used=<value optimized out>) at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:2553
#5  0x000000000068608b in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffdec7a6b0)
    at /home/me/src/php-5.2.8/Zend/zend_vm_execute.h:200
#6  0x00000000006763f3 in execute (op_array=0xd37268)
    at /home/me/src/php-5.2.8/Zend/zend_vm_execute.h:92
#7  0x0000000000658203 in zend_execute_scripts (type=8, retval=0x4, file_count=3)
    at /home/me/src/php-5.2.8/Zend/zend.c:1134
#8  0x00000000006184cb in php_execute_script (primary_file=0x7fffdec7cd20)
    at /home/me/src/php-5.2.8/main/main.c:2023
#9  0x00000000006d5a8c in main (argc=2, argv=0x7fffdec7cf18)
    at /home/me/src/php-5.2.8/sapi/cli/php_cli.c:1133

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-01-29 22:05 UTC] j at korni dot net

Found the bug. list is freed twice if not zeroed.

In 5.2.8, mbstring.c, add line 2678.   (line 3199 in 5.3).

2673         default:
2674             convert_to_string_ex(arg_list);
2675             if (!php_mb_parse_encoding_list(Z_STRVAL_PP(arg_list), Z_STRLEN_PP(arg_list), &list, &     size, 0 TSRMLS_CC)) {
2676                 if (list) {
2677                     efree(list);
2678                     list = 0;           **********
2679                     size = 0;
2680                 }
2681             }

[2009-01-29 23:15 UTC] scottmac@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 14:01:31 2024 UTC