php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #47245 crash following mb_detect_encoding
Submitted: 2009-01-29 21:09 UTC Modified: 2009-01-29 23:15 UTC
From: j at korni dot net Assigned:
Status: Closed Package: mbstring related
PHP Version: 5.2.8 OS: Linux64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: j at korni dot net
New email:
PHP Version: OS:

 

 [2009-01-29 21:09 UTC] j at korni dot net 
Description:
------------
mb_detect_encoding issues warning "Illegal argument", then things go bezerk. Maybe some heap corruption.

Reproduce code:
---------------
<?php
  $str = "\357\277\357\277\275\357\277\275\357\277\275\357\277\275";
  $charset = mb_detect_encoding($str , "WINDOWS-1255,ASCII");
  echo "detect $charset\n";
  $str = mb_convert_encoding($str, "UTF-8", $charset);
  echo "convert %str\n";


Expected result:
----------------
detect WINDOWS-1255
convert <some UTF8-text>

Actual result:
--------------
Warning: mb_detect_encoding(): Illegal argument in ...
detect detec    *** note the corrupted string
Segmentation fault

#0  _zend_mm_alloc_int (heap=0xbbf2b0, size=6) at /home/me/src/php-5.2.8/Zend/zend_alloc.c:1780
#1  0x000000000063f3e0 in _estrndup (s=0xd37e38 "UTF-8", length=6)
    at /home/me/src/php-5.2.8/Zend/zend_alloc.c:2435
#2  0x00000000004ed164 in php_mb_parse_encoding_list (value=0xbbf2b0 "\001", value_length=6, 
    return_list=0x7fffdec7a400, return_size=0x7fffdec7a40c, persistent=0)
    at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:367
#3  0x00000000004ee602 in php_mb_convert_encoding (input=<value optimized out>, 
    length=<value optimized out>, _to_encoding=<value optimized out>, _from_encodings=0xd37e38 "UTF-8", 
    output_len=0x7fffdec7a468) at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:2443
#4  0x00000000004eeb44 in zif_mb_convert_encoding (ht=<value optimized out>, return_value=0xd37dc0, 
    return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, 
    return_value_used=<value optimized out>) at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:2553
#5  0x000000000068608b in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffdec7a6b0)
    at /home/me/src/php-5.2.8/Zend/zend_vm_execute.h:200
#6  0x00000000006763f3 in execute (op_array=0xd37268)
    at /home/me/src/php-5.2.8/Zend/zend_vm_execute.h:92
#7  0x0000000000658203 in zend_execute_scripts (type=8, retval=0x4, file_count=3)
    at /home/me/src/php-5.2.8/Zend/zend.c:1134
#8  0x00000000006184cb in php_execute_script (primary_file=0x7fffdec7cd20)
    at /home/me/src/php-5.2.8/main/main.c:2023
#9  0x00000000006d5a8c in main (argc=2, argv=0x7fffdec7cf18)
    at /home/me/src/php-5.2.8/sapi/cli/php_cli.c:1133

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-29 22:05 UTC] j at korni dot net 
Found the bug. list is freed twice if not zeroed.

In 5.2.8, mbstring.c, add line 2678.   (line 3199 in 5.3).

2673         default:
2674             convert_to_string_ex(arg_list);
2675             if (!php_mb_parse_encoding_list(Z_STRVAL_PP(arg_list), Z_STRLEN_PP(arg_list), &list, &     size, 0 TSRMLS_CC)) {
2676                 if (list) {
2677                     efree(list);
2678                     list = 0;           **********
2679                     size = 0;
2680                 }
2681             }
 [2009-01-29 23:15 UTC] scottmac@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 06:01:30 2024 UTC