|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13413 Seg Fault when urlencoding a binary string
Submitted: 2001-09-24 06:23 UTC Modified: 2001-10-20 06:58 UTC
From: php at manuel dot mailshell dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 4.0.6 OS: Linux 2.4
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: php at manuel dot mailshell dot com
New email:
PHP Version: OS:


 [2001-09-24 06:23 UTC] php at manuel dot mailshell dot com
If we pass a binary string which contains a byte with
an ASCII value of "0" to urlencode, then PHP will segfault.

This short script will demonstrate the problem.  Notice
that I am using urldecode because I have no way
of printing an ascii value of 0.

$initString = "%00an%3E";
$binaryString = urldecode($initString);
$encodedString = urlencode($binaryString);

I believe the problem is in file ../ext/standard/url.c
and in function php_url_encode().  This function uses
allocates memory for the new string after determining
the length of the input string via strlen(). However, a 
binary string could contain a byte with a value of zero, 
thereby yielding a shorter string length and not enough
memory allocated.

I'll also include a suggested patch below.

--- ext/standard/url.c.orig     Mon Sep 24 02:53:54 2001
+++ ext/standard/url.c  Mon Sep 24 02:53:38 2001
@@ -239,7 +239,7 @@
        register int x, y;
        unsigned char *str;
-       str = (unsigned char *) emalloc(3 * strlen(s) + 1);
+       str = (unsigned char *) emalloc(3 * len + 1);
        for (x = 0, y = 0; len--; x++, y++) {
                str[y] = (unsigned char) s[x];
                if (str[y] == ' ') {

P.S. Thanks for working on PHP, it's a fantastic language
and I appreciate your effort.



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-10-20 06:00 UTC]
Reproduced on Win2K (PHP-4.1.0RC1, Apache 1.3.22, it simply crashes) and Debian Linux (PHP-4.0.6 on Apache 1.3.20, segfaults in error_log).

Marking as critical.
 [2001-10-20 06:58 UTC]
Fixed in CVS
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun May 28 07:03:39 2023 UTC