php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66797 mb_substr only takes 32-bit signed integer
Submitted: 2014-02-28 15:40 UTC Modified: 2016-08-30 11:43 UTC
Votes:3
Avg. Score:2.7 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: astewart at online-buddies dot com Assigned: cmb (profile)
Status: Closed Package: mbstring related
PHP Version: 5.4.25 OS: MacOS 10.9.2; CentOS 6.4
Private report: No CVE-ID: None
 [2014-02-28 15:40 UTC] astewart at online-buddies dot com
Description:
------------
mb_substr takes an int argument for length, but does not accept all integers on a 64-bit compiled PHP. Instead, the number is treated as -(1<<31), and the string is therefore truncated to zero length.

Test script:
---------------
<?php
assert('"1" == mb_substr("1", 0, PHP_INT_MAX)');

Expected result:
----------------
No output

Actual result:
--------------
PHP Warning:  assert(): Assertion ""1" == mb_substr("1", 0, PHP_INT_MAX)" failed in t.php on line 2
PHP Stack trace:
PHP   1. {main}() t.php:0
PHP   2. assert() t.php:2

Patches

fix-66797.patch (last revision 2014-02-28 19:24 UTC) by astewart at online-buddies dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-30 11:43 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Assigned To: +Assigned To: cmb
 [2016-08-30 11:43 UTC] cmb@php.net
Thanks for reporting this issue.

The actual problem is that mbfl_substr() defines its `from` and
`len` parameters to be `int`. Therefore truncation is possible.
 [2016-08-30 13:27 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f10db36af2776f386b7433c5cbfe79e66edd14d
Log: Fix #66797: mb_substr only takes 32-bit signed integer
 [2016-08-30 13:27 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2f10db36af2776f386b7433c5cbfe79e66edd14d
Log: Fix #66797: mb_substr only takes 32-bit signed integer
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC