php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76532 Integer overflow and excessive memory usage in mb_strimwidth
Submitted: 2018-06-26 11:35 UTC Modified: 2018-06-28 18:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: l-x+php at mailbox dot org Assigned:
Status: Closed Package: mbstring related
PHP Version: 7.2.7 OS: 4.17.0-gentoo
Private report: No CVE-ID: None
 [2018-06-26 11:35 UTC] l-x+php at mailbox dot org
Description:
------------
mb_strimwidth returns an empty string for $width > 2147483647

mb_strimwidth requires memory greater than $width - 2GB for the provided test script

Affected versions (as far as I can test):
  - PHP 5.6.36-pl0-gentoo (cli and fpm)
  - PHP 7.2.6 (cli and fpm)
 

Test script:
---------------
<?php

declare(strict_types=1);

function doIt(int $width): void
{
    $string_to_trim = 'some test string';
    $expected_result = $string_to_trim;
    $actual_result = mb_strimwidth($string_to_trim, 0, $width);

    echo <<<RESULT
Width:             $width
String to trim:    $string_to_trim
Expected result:   $expected_result
Acutal result:     $actual_result


RESULT;
}

$width = 2147483647;
doIt($width);
doIt($width + 1);

echo memory_get_peak_usage(true);


Expected result:
----------------
Width:             2147483647
String to trim:    some test string
Expected result:   some test string
Acutal result:     some test string

Width:             2147483648
String to trim:    some test string
Expected result:   some test string
Acutal result:     some test string

2149580800

Actual result:
--------------
Width:             2147483647
String to trim:    some test string
Expected result:   some test string
Acutal result:     some test string

Width:             2147483648
String to trim:    some test string
Expected result:   some test string
Acutal result:     

2149580800

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-28 12:37 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-06-28 12:37 UTC] cmb@php.net
The integer overflow happens because `width` is a `zend_long`, but
is converted to `int` when `mbfl_strimwidth` is called[1].  PHP 7.3
shouldn't have this issue, since `mbfl_strimwidth` expects a
`size_t` now[2].

[1] <https://github.com/php/php-src/blob/php-7.2.7/ext/mbstring/mbstring.c#L3151>
[2] <https://github.com/php/php-src/blob/php-7.3.0alpha2/ext/mbstring/libmbfl/mbfl/mbfilter.c#L1677>
 [2018-06-28 21:06 UTC] nikic@php.net
Automatic comment on behalf of schwarz@sc-networks.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bf5a802f5a87010cee94df1cda2918f3be8ae96e
Log: Fixed bug #76532 (excessive memory usage in mb_strimwidth)
 [2018-06-28 21:06 UTC] nikic@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Nov 19 06:01:26 2018 UTC