|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72927 integer overflow in xml_utf8_encode
Submitted: 2016-08-23 06:08 UTC Modified: 2017-02-13 01:27 UTC
From: ahihibughunter at gmail dot com Assigned: stas (profile)
Status: Closed Package: XML related
PHP Version: 5.6Git-2016-08-23 (Git) OS: All
Private report: No CVE-ID: None
 [2016-08-23 06:08 UTC] ahihibughunter at gmail dot com
in xml_utf8_encode function, the safe_emalloc did not check value it alloc for string, which used to store the result of encoded buffer. This cause the length of string after encode > INT_MAX.

PHPAPI char *xml_utf8_encode(const char *s, int len, int *newlen, const XML_Char *encoding)
newbuf = safe_emalloc(len, 4, 1); //<- muse check size of safe_emalloc here,
	} else if (c < 0x800) {
		newbuf[(*newlen)++] = (0xc0 | (c >> 6));
		newbuf[(*newlen)++] = (0x80 | (c & 0x3f));

Test script:
ini_set('memory_limit', -1);              
$a = str_repeat('Ã', (0xffffffff/6) - 10);
$b = utf8_encode($a);                     

Expected result:
No crash

Actual result:
$gdb /data/php-src-PHP-5.6.25/sapi/cli/php                  
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.

Program received signal SIGSEGV, Segmentation fault.                                
0x000000000095b841 in xml_utf8_encode (                                             
    s=0x7fffd95e9070 'Ã' <repeats 100 times>..., len=1431655744,                    
    newlen=0x7fffffffabb0, encoding=0x10a27f1 "ISO-8859-1")                         
    at /data/php-src-PHP-5.6.25/ext/xml/xml.c:642 
642                             newbuf[(*newlen)++] = (0xc0 | (c >> 6));



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-23 10:43 UTC] ahihibughunter at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-08-23 10:43 UTC] ahihibughunter at gmail dot com
I think this is security bug.
 [2016-09-02 06:32 UTC]
-Assigned To: +Assigned To: stas
 [2016-09-02 06:32 UTC]
The fix is in security repo as 0f1eb74e92191e817b4198ceda4e8f093699da62 and in
please verify
 [2016-09-02 15:21 UTC] ahihibughunter at gmail dot com
The patch looks OK.
 [2016-09-13 04:12 UTC]
-Status: Assigned +Status: Closed
 [2016-09-13 04:12 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2017-02-13 01:27 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Dec 02 10:01:26 2023 UTC