|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2021-08-18 04:04 UTC] stas@php.net
-Type: Security
+Type: Bug
[2021-08-18 08:19 UTC] nikic@php.net
[2021-08-18 08:36 UTC] yguoaz at gmail dot com
[2021-08-18 09:48 UTC] nikic@php.net
[2021-08-19 11:44 UTC] cmb@php.net
-Status: Open
+Status: Feedback
-Assigned To:
+Assigned To: cmb
[2021-08-19 11:44 UTC] cmb@php.net
[2021-08-19 11:44 UTC] cmb@php.net
-Package: *General Issues
+Package: Strings related
[2021-08-19 12:21 UTC] yguoaz at gmail dot com
-Status: Feedback
+Status: Assigned
[2021-08-19 12:21 UTC] yguoaz at gmail dot com
[2021-08-19 12:34 UTC] cmb@php.net
-Status: Assigned
+Status: Not a bug
[2021-08-19 12:34 UTC] cmb@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 19 20:01:29 2024 UTC |
Description: ------------ In the file ext/standard/string.c, the PHP_FUNCTION wordwrap has the following code: PHP_FUNCTION(wordwrap) { zend_long linelength = 75; ZEND_PARSE_PARAMETERS_START(1, 4) ... Z_PARAM_LONG(linelength) Z_PARAM_STRING(breakchar, breakchar_len) Z_PARAM_BOOL(docut) ZEND_PARSE_PARAMETERS_END(); ... if (linelength == 0 && docut) { RETURN_THROWS(); } if (breakchar_len == 1 && !docut) { ... } else { ... for (current = 0; current < (zend_long)ZSTR_LEN(text); current++) { if (chk == 0) { alloced += (size_t) (((ZSTR_LEN(text) - current + 1)/linelength + 1) * breakchar_len) + 1; newtext = zend_string_extend(newtext, alloced, 0); chk = (size_t) ((ZSTR_LEN(text) - current)/linelength) + 1; } ... } } } When the parameters satisfy linelength == 0 && docut == 0 && breakchar_len > 1, the variable linelength may be used as a divisor in the for loop, leading to a divide by zero bug. Here is the link to the related code location: https://github.com/php/php-src/blob/e86a0a905dd091a82bea2ff56845297171ea7249/ext/standard/string.c#L954