|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-10-03 07:13 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-10-03 07:13 UTC] stas@php.net
[2016-10-03 07:22 UTC] minhrau dot vc dot 365 at gmail dot com
[2016-10-11 23:45 UTC] stas@php.net
[2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-10-12 23:35 UTC] ab@php.net
[2016-10-14 02:23 UTC] ab@php.net
[2016-10-17 10:07 UTC] bwoebi@php.net
[2017-02-13 01:11 UTC] stas@php.net
-Type: Security
+Type: Bug
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 21:00:01 2025 UTC |
Description: ------------ integer overflow in function imap_8bit will cause string length > int max. PHP_FUNCTION(imap_8bit) { char *text, *decode; int text_len; unsigned long newlength; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &text, &text_len) == FAILURE) { return; } decode = (char *) rfc822_8bit((unsigned char *) text, text_len, &newlength); //here produce string with length > int max if (decode == NULL) { RETURN_FALSE; } RETVAL_STRINGL(decode, newlength, 1); fs_give((void**) &decode); Test script: --------------- <?php ini_set('memory_limit', -1); $str = str_repeat('รณ', 0xffffffff/10); var_dump(strlen($str)); $str1 = imap_8bit($str); var_dump(strlen($str1)); ?> Expected result: ---------------- String length < int max Actual result: -------------- negative length value