php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47245 crash following mb_detect_encoding
Submitted: 2009-01-29 21:09 UTC Modified: 2009-01-29 23:15 UTC
From: j at korni dot net Assigned:
Status: Closed Package: mbstring related
PHP Version: 5.2.8 OS: Linux64
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: j at korni dot net
New email:
PHP Version: OS:

 

 [2009-01-29 21:09 UTC] j at korni dot net
Description:
------------
mb_detect_encoding issues warning "Illegal argument", then things go bezerk. Maybe some heap corruption.

Reproduce code:
---------------
<?php
  $str = "\357\277\357\277\275\357\277\275\357\277\275\357\277\275";
  $charset = mb_detect_encoding($str , "WINDOWS-1255,ASCII");
  echo "detect $charset\n";
  $str = mb_convert_encoding($str, "UTF-8", $charset);
  echo "convert %str\n";


Expected result:
----------------
detect WINDOWS-1255
convert <some UTF8-text>

Actual result:
--------------
Warning: mb_detect_encoding(): Illegal argument in ...
detect detec    *** note the corrupted string
Segmentation fault

#0  _zend_mm_alloc_int (heap=0xbbf2b0, size=6) at /home/me/src/php-5.2.8/Zend/zend_alloc.c:1780
#1  0x000000000063f3e0 in _estrndup (s=0xd37e38 "UTF-8", length=6)
    at /home/me/src/php-5.2.8/Zend/zend_alloc.c:2435
#2  0x00000000004ed164 in php_mb_parse_encoding_list (value=0xbbf2b0 "\001", value_length=6, 
    return_list=0x7fffdec7a400, return_size=0x7fffdec7a40c, persistent=0)
    at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:367
#3  0x00000000004ee602 in php_mb_convert_encoding (input=<value optimized out>, 
    length=<value optimized out>, _to_encoding=<value optimized out>, _from_encodings=0xd37e38 "UTF-8", 
    output_len=0x7fffdec7a468) at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:2443
#4  0x00000000004eeb44 in zif_mb_convert_encoding (ht=<value optimized out>, return_value=0xd37dc0, 
    return_value_ptr=<value optimized out>, this_ptr=<value optimized out>, 
    return_value_used=<value optimized out>) at /home/me/src/php-5.2.8/ext/mbstring/mbstring.c:2553
#5  0x000000000068608b in zend_do_fcall_common_helper_SPEC (execute_data=0x7fffdec7a6b0)
    at /home/me/src/php-5.2.8/Zend/zend_vm_execute.h:200
#6  0x00000000006763f3 in execute (op_array=0xd37268)
    at /home/me/src/php-5.2.8/Zend/zend_vm_execute.h:92
#7  0x0000000000658203 in zend_execute_scripts (type=8, retval=0x4, file_count=3)
    at /home/me/src/php-5.2.8/Zend/zend.c:1134
#8  0x00000000006184cb in php_execute_script (primary_file=0x7fffdec7cd20)
    at /home/me/src/php-5.2.8/main/main.c:2023
#9  0x00000000006d5a8c in main (argc=2, argv=0x7fffdec7cf18)
    at /home/me/src/php-5.2.8/sapi/cli/php_cli.c:1133




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-29 22:05 UTC] j at korni dot net
Found the bug. list is freed twice if not zeroed.

In 5.2.8, mbstring.c, add line 2678.   (line 3199 in 5.3).

2673         default:
2674             convert_to_string_ex(arg_list);
2675             if (!php_mb_parse_encoding_list(Z_STRVAL_PP(arg_list), Z_STRLEN_PP(arg_list), &list, &     size, 0 TSRMLS_CC)) {
2676                 if (list) {
2677                     efree(list);
2678                     list = 0;           **********
2679                     size = 0;
2680                 }
2681             }
 [2009-01-29 23:15 UTC] scottmac@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 04 11:01:28 2024 UTC