PHP :: Bug #3812 :: urlencode not bin-safe

Bug #3812	urlencode not bin-safe
Submitted:	2000-03-12 08:06 UTC	Modified:	2002-09-30 17:53 UTC
From:	baumert at pilot-webdesign dot de	Assigned:
Status:	Closed	Package:	Reproducible Crash
PHP Version:	3.0.15	OS:	Linux Redhat 5.2, 2.0.36, glibc2
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	baumert at pilot-webdesign dot de
New email:
PHP Version:		OS:

New Comment:

[2000-03-12 08:06 UTC] baumert at pilot-webdesign dot de

The urlencode function is not binary safe. It retrieves the length of the string to encode as a parameter,
then uses strlen to allocate the new buffer. Strlen returns wrong length for the bin-string.
After that, the len-parameter is used to fill the buffer => a buffer-overwrite occurs.

php 4 beta 4 pl1:

change line 241 from 
      str = (unsigned char *) emalloc(3 * strlen(s) + 1);
to 
      str = (unsigned char *) emalloc(3 * len + 1);

php 3.15

change line 242 from
  str = (unsigned char *) emalloc(3 * strlen(s) + 1);
to
  str = (unsigned char *) emalloc(3 * len + 1);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-09-30 17:53 UTC] hholzgra@php.net

this is ok in php 4.2.3 code

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Sep 15 03:00:01 2025 UTC