|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2013-09-27 18:50 UTC] mrubinsk at horde dot org
Description:
------------
When using the convert.quoted-printable-encode stream filter, if the stream contains a single bare CR line ending at the end of the stream when line-break-chars is set to CRLF this can cause a segfault with certain values of line-length.
Changing the line-length in the test script, or setting line-break-chars to "\r" prevents the segfault.
Test script:
---------------
$data = fopen('php://temp', 'r+');
fwrite($data, "test\r\ntest\r\n\r");
$stream = fopen("php://temp", 'r+');
stream_filter_append($stream, 'convert.quoted-printable-encode', STREAM_FILTER_WRITE, array('line-length' => 5, 'line-break-chars' => "\r\n"));
rewind($data);
stream_copy_to_stream($data, $stream);
Expected result:
----------------
The data should be copied from the $data stream to the $stream stream, applying the convert filter.
Actual result:
--------------
Segfault.
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 01 04:00:02 2025 UTC |
hey Moriyoshi: seems these codes are obviously wrong, if in_pp is null but the lb_ptr is smaller than lb_cnt, then it must segfault in the later "*in_pp"; php-5.4/ext/standard/filters.c:805 if ((in_pp == NULL || in_left_p == NULL) && (lb_ptr >=lb_cnt)) { return PHP_CONV_ERR_SUCCESS; } ps = (unsigned char *)(*in_pp);I can verify that this change: - if ((in_pp == NULL || in_left_p == NULL) && (lb_ptr >=lb_cnt)) { + if ((in_pp == NULL || in_left_p == NULL)) { return PHP_CONV_ERR_SUCCESS; } fixes things. I'm not sure this affects anything else (I doubt it because, as laurence noted, once in_pp or in_left_p is null, there is no way anything else further in the method could ever be executed, since both will dereference a null pointer long before that.)