PHP :: Bug #66797 :: mb_substr only takes 32-bit signed integer

Bug #66797

mb_substr only takes 32-bit signed integer

Submitted:

2014-02-28 15:40 UTC

Modified:

2016-08-30 11:43 UTC

Votes:	3
Avg. Score:	2.7 ± 1.2
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	1 (50.0%)

From:

astewart at online-buddies dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

mbstring related

PHP Version:

5.4.25

OS:

MacOS 10.9.2; CentOS 6.4

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	astewart at online-buddies dot com
New email:
PHP Version:		OS:

New Comment:

[2014-02-28 15:40 UTC] astewart at online-buddies dot com

Description:
------------
mb_substr takes an int argument for length, but does not accept all integers on a 64-bit compiled PHP. Instead, the number is treated as -(1<<31), and the string is therefore truncated to zero length.

Test script:
---------------
<?php
assert('"1" == mb_substr("1", 0, PHP_INT_MAX)');

Expected result:
----------------
No output

Actual result:
--------------
PHP Warning:  assert(): Assertion ""1" == mb_substr("1", 0, PHP_INT_MAX)" failed in t.php on line 2
PHP Stack trace:
PHP   1. {main}() t.php:0
PHP   2. assert() t.php:2

Patches

fix-66797.patch (last revision 2014-02-28 19:24 UTC by astewart at online-buddies dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-30 11:43 UTC] cmb@php.net

-Status: Open +Status: Analyzed -Assigned To: +Assigned To: cmb

[2016-08-30 11:43 UTC] cmb@php.net

Thanks for reporting this issue.

The actual problem is that mbfl_substr() defines its `from` and
`len` parameters to be `int`. Therefore truncation is possible.

[2016-08-30 13:27 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f10db36af2776f386b7433c5cbfe79e66edd14d
Log: Fix #66797: mb_substr only takes 32-bit signed integer

[2016-08-30 13:27 UTC] cmb@php.net

-Status: Analyzed +Status: Closed

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f10db36af2776f386b7433c5cbfe79e66edd14d
Log: Fix #66797: mb_substr only takes 32-bit signed integer

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 07:01:29 2024 UTC