php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76532 Integer overflow and excessive memory usage in mb_strimwidth
Submitted: 2018-06-26 11:35 UTC Modified: 2018-06-28 18:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: l-x+php at mailbox dot org Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.2.7 OS: 4.17.0-gentoo
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: l-x+php at mailbox dot org
New email:
PHP Version: OS:

 

 [2018-06-26 11:35 UTC] l-x+php at mailbox dot org 
Description:
------------
mb_strimwidth returns an empty string for $width > 2147483647

mb_strimwidth requires memory greater than $width - 2GB for the provided test script

Affected versions (as far as I can test):
  - PHP 5.6.36-pl0-gentoo (cli and fpm)
  - PHP 7.2.6 (cli and fpm)
 

Test script:
---------------
<?php

declare(strict_types=1);

function doIt(int $width): void
{
    $string_to_trim = 'some test string';
    $expected_result = $string_to_trim;
    $actual_result = mb_strimwidth($string_to_trim, 0, $width);

    echo <<<RESULT
Width:             $width
String to trim:    $string_to_trim
Expected result:   $expected_result
Acutal result:     $actual_result


RESULT;
}

$width = 2147483647;
doIt($width);
doIt($width + 1);

echo memory_get_peak_usage(true);


Expected result:
----------------
Width:             2147483647
String to trim:    some test string
Expected result:   some test string
Acutal result:     some test string

Width:             2147483648
String to trim:    some test string
Expected result:   some test string
Acutal result:     some test string

2149580800

Actual result:
--------------
Width:             2147483647
String to trim:    some test string
Expected result:   some test string
Acutal result:     some test string

Width:             2147483648
String to trim:    some test string
Expected result:   some test string
Acutal result:     

2149580800

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-28 12:37 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-06-28 12:37 UTC] cmb@php.net 
The integer overflow happens because `width` is a `zend_long`, but
is converted to `int` when `mbfl_strimwidth` is called[1].  PHP 7.3
shouldn't have this issue, since `mbfl_strimwidth` expects a
`size_t` now[2].

[1] <https://github.com/php/php-src/blob/php-7.2.7/ext/mbstring/mbstring.c#L3151>
[2] <https://github.com/php/php-src/blob/php-7.3.0alpha2/ext/mbstring/libmbfl/mbfl/mbfilter.c#L1677>
 [2018-06-28 18:00 UTC] cmb@php.net 
PR: <https://github.com/php/php-src/pull/3348>.
 [2018-06-28 21:06 UTC] nikic@php.net 
Automatic comment on behalf of schwarz@sc-networks.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf5a802f5a87010cee94df1cda2918f3be8ae96e
Log: Fixed bug #76532 (excessive memory usage in mb_strimwidth)
 [2018-06-28 21:06 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC