PHP :: Bug #68180 :: iconv_mime_decode can return extra characters in a header

Bug #68180

iconv_mime_decode can return extra characters in a header

Submitted:

2014-10-07 22:02 UTC

Modified:

2018-08-26 11:19 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

chad at mailchimp dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

ICONV related

PHP Version:

5.6.1

OS:

Linux/Debian/x86-64

Private report:

CVE-ID:

None

View Developer Edit

[2014-10-07 22:02 UTC] chad at mailchimp dot com

Description:
------------
When ICONV's mime decoding functions are run against long strings with multi-byte character sets, extra characters not found in the input can be appended to the decoded value.

This seems to be due to a bug in _php_iconv_appendl in ext/iconv/iconv.c that will sometimes advance the length of the smart_str past the location where iconv actually wrote the converted bytes. This happens when the string is not large enough to store the next multi-byte character, but has space remaining.

I saw this with 5.5.17 and 5.6.1.

Here's the configure script I used to build PHP 5.6.1 to reproduce the bug and test the patch:
./configure --build=x86_64-linux-gnu --host=x86_64-linux-gnu --with-iconv



Test script:
---------------
<?php
$original = "=?UTF-8?Q?=E3=80=8E=E3=80=90=E5=A4=96=E8=B3=87=E7=B3=BB=E6=88=A6=E7=95=A5=E3=82=B3=E3=83=B3=E3=82=B5=E3=83=AB=E3=81=8C=E9=9B=86=E7=B5=90=E3=80=91=E3=83=88=E3=83=83=E3=83=97=E3=82=B3=E3=83=B3=E3=82=B5=E3=83=AB=E3=82=BF=E3=83=B3=E3=83=88=E3=81=A8=E8=A9=B1=E3=81=9B=E3=82=8B=E3=82=B3=E3=83=B3=E3=82=B5=E3=83=AB=E6=A5=AD=E7=95=8C=E7=A0=94=E7=A9=B6=E3=82=BB=E3=83=9F=E3=83=8A=E3=83=BC=E3=80=8F=E3=81=B8=E3=81=AE=E3=82=A8=E3=83=B3=E3=83=88=E3=83=AA=E3=83=BC=E3=81=82=E3=82=8A=E3=81=8C=E3=81=A8=E3=81=86=E3=81=94=E3=81=96=E3=81=84=E3=81=BE=E3=81=97=E3=81=9F=E3=80=82?=";
$decoded = iconv_mime_decode($original, ICONV_MIME_DECODE_STRICT, 'utf-8');

$prefs = array('input-charset' => 'UTF-8', 'output-charset' => 'UTF-8', 'scheme' => 'Q', 'line-length' => 1000);
$encoded = iconv_mime_encode('Subject', $decoded, $prefs);
list($_, $encoded) = explode(' ', $encoded, 2);

echo 'Before: ' . strlen($original) . ', After: ' . strlen($encoded) . "\n";
?>

Expected result:
----------------
Before: 561, After: 561

Actual result:
--------------
Before: 561, After: 567

Patches

iconv-appendl-length (last revision 2014-10-07 22:03 UTC by chad at mailchimp dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-09-09 16:53 UTC] cmb@php.net

-Status: Open +Status: Verified

[2015-09-09 16:53 UTC] cmb@php.net

Confirmed: <https://3v4l.org/XZmOA>.

[2018-08-26 11:19 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

[2018-08-26 11:26 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=efb86aef12ff4f8f3908ceff2844f7511f7d61eb
Log: Fix #68180: iconv_mime_decode can return extra characters in a header

[2018-08-26 11:26 UTC] cmb@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 13:00:01 2025 UTC