php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68180 iconv_mime_decode can return extra characters in a header
Submitted: 2014-10-07 22:02 UTC Modified: 2018-08-26 11:19 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: chad at mailchimp dot com Assigned: cmb (profile)
Status: Closed Package: ICONV related
PHP Version: 5.6.1 OS: Linux/Debian/x86-64
Private report: No CVE-ID: None
 [2014-10-07 22:02 UTC] chad at mailchimp dot com
Description:
------------
When ICONV's mime decoding functions are run against long strings with multi-byte character sets, extra characters not found in the input can be appended to the decoded value.

This seems to be due to a bug in _php_iconv_appendl in ext/iconv/iconv.c that will sometimes advance the length of the smart_str past the location where iconv actually wrote the converted bytes. This happens when the string is not large enough to store the next multi-byte character, but has space remaining.

I saw this with 5.5.17 and 5.6.1.

Here's the configure script I used to build PHP 5.6.1 to reproduce the bug and test the patch:
./configure --build=x86_64-linux-gnu --host=x86_64-linux-gnu --with-iconv



Test script:
---------------
<?php
$original = "=?UTF-8?Q?=E3=80=8E=E3=80=90=E5=A4=96=E8=B3=87=E7=B3=BB=E6=88=A6=E7=95=A5=E3=82=B3=E3=83=B3=E3=82=B5=E3=83=AB=E3=81=8C=E9=9B=86=E7=B5=90=E3=80=91=E3=83=88=E3=83=83=E3=83=97=E3=82=B3=E3=83=B3=E3=82=B5=E3=83=AB=E3=82=BF=E3=83=B3=E3=83=88=E3=81=A8=E8=A9=B1=E3=81=9B=E3=82=8B=E3=82=B3=E3=83=B3=E3=82=B5=E3=83=AB=E6=A5=AD=E7=95=8C=E7=A0=94=E7=A9=B6=E3=82=BB=E3=83=9F=E3=83=8A=E3=83=BC=E3=80=8F=E3=81=B8=E3=81=AE=E3=82=A8=E3=83=B3=E3=83=88=E3=83=AA=E3=83=BC=E3=81=82=E3=82=8A=E3=81=8C=E3=81=A8=E3=81=86=E3=81=94=E3=81=96=E3=81=84=E3=81=BE=E3=81=97=E3=81=9F=E3=80=82?=";
$decoded = iconv_mime_decode($original, ICONV_MIME_DECODE_STRICT, 'utf-8');

$prefs = array('input-charset' => 'UTF-8', 'output-charset' => 'UTF-8', 'scheme' => 'Q', 'line-length' => 1000);
$encoded = iconv_mime_encode('Subject', $decoded, $prefs);
list($_, $encoded) = explode(' ', $encoded, 2);

echo 'Before: ' . strlen($original) . ', After: ' . strlen($encoded) . "\n";
?>

Expected result:
----------------
Before: 561, After: 561

Actual result:
--------------
Before: 561, After: 567

Patches

iconv-appendl-length (last revision 2014-10-07 22:03 UTC) by chad at mailchimp dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-09 16:53 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2015-09-09 16:53 UTC] cmb@php.net
Confirmed: <https://3v4l.org/XZmOA>.
 [2018-08-26 11:19 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2018-08-26 11:26 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=efb86aef12ff4f8f3908ceff2844f7511f7d61eb
Log: Fix #68180: iconv_mime_decode can return extra characters in a header
 [2018-08-26 11:26 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Sep 26 11:01:26 2018 UTC