PHP :: Bug #50226 :: [PATCH] - Insufficient memory allocation for unicode string

Bug #50226	[PATCH] - Insufficient memory allocation for unicode string
Submitted:	2009-11-19 10:03 UTC	Modified:	2009-11-24 11:08 UTC
From:	yoarvi at gmail dot com	Assigned:
Status:	Closed	Package:	*Unicode Issues
PHP Version:	6SVN-2009-11-19 (SVN)	OS:	Solaris 5.10 (SPARC)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yoarvi at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2009-11-19 10:03 UTC] yoarvi at gmail dot com

Description:
------------
ext/standard/string.c:3460 allocates only 1 extra byte for the terminating null
		str.u = safe_emalloc(2, UBYTES(old_len), 1);

but then assigns a null at line 3482 using 
		*q.u = 0;
which writes 2 bytes.

The following patch fixes the problem:

Index: ext/standard/string.c
===================================================================
--- ext/standard/string.c	(revision 290968)
+++ ext/standard/string.c	(working copy)
@@ -3457,7 +3457,7 @@
 
 	if (type == IS_UNICODE) {
 		old_end.u = old.u + old_len;
-		str.u = safe_emalloc(2, UBYTES(old_len), 1);
+		str.u = safe_emalloc(2, UBYTES(old_len), UBYTES(1));
 
 		for (p.u = old.u, q.u = str.u; p.u != old_end.u; p.u++) {
 			cp = *p.u;


Reproduce code:
---------------
./configure --enable-debug

% sapi/cli/php ext/standard/tests/strings/quotemeta_basic.php


Expected result:
----------------
*** Testing quotemeta() : basic functionality ***
unicode(20) "Hello how are you \?"
unicode(19) "\(100 \+ 50\) \* 10"
unicode(20) "\\\+\*\?\[\^\]\(\$\)"


Actual result:
--------------
*** Testing quotemeta() : basic functionality ***
unicode(20) "Hello how are you \?"
unicode(19) "\(100 \+ 50\) \* 10"
[Thu Nov 19 15:35:30 2009]  Script:  'ext/standard/tests/strings/quotemeta_basic.php'
---------------------------------------
/home/arvi/php-trunk/ext/standard/string.c(3483) : Block 0x0969aed4 status:
Beginning:  	OK (allocated on /home/arvi/php-trunk/ext/standard/string.c:3460, 41 bytes)
    Start:	OK
      End:	Overflown (magic=0x00000000 instead of 0x2C8088DB)
          	1 byte(s) overflown
---------------------------------------
unicode(20) ""
[Thu Nov 19 15:35:30 2009]  Script:  'ext/standard/tests/strings/quotemeta_basic.php'
/home/arvi/php-trunk/ext/standard/string.c(3460) :  Freeing 0x0969AED4 (41 bytes), script=ext/standard/tests/strings/quotemeta_basic.php
/home/arvi/php-trunk/Zend/zend_alloc.c(2446) : Actual location (location was relayed)
=== Total 1 memory leaks detected ===

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-11-24 11:08 UTC] svn@php.net

Automatic comment from SVN on behalf of kalle
Revision: http://svn.php.net/viewvc/?view=revision&revision=291259
Log: Fixed #50226 (Insufficient memory allocation for unicode string)
 - Patch by yoarvi at gmail dot com

[2009-11-24 11:08 UTC] kalle@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 01:01:30 2024 UTC