php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #64879
Patch quotedfix revision 2013-05-22 07:07 UTC by stas@php.net

Patch quotedfix for Strings related Bug #64879

Patch version 2013-05-22 07:07 UTC

Return to Bug #64879 | Download this patch
Patch Revisions:

Developer: stas@php.net

From 101d30f849d4a33c4bddd8813133303c89b16530 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 20 May 2013 00:43:29 -0700
Subject: [PATCH] fix CVE-2013-2110 - use correct formula to calculate string size

---
 NEWS                                     |    2 ++
 ext/standard/quot_print.c                |    4 ++--
 ext/standard/tests/strings/bug64879.phpt |   12 ++++++++++++
 3 files changed, 16 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/strings/bug64879.phpt

diff --git a/NEWS b/NEWS
index c7aff7f..63893e6 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.4.16
 
 - Core:
+  . Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode)
+    (CVE-2013-2110). (Stas)
   . Fixed bug #64729 (compilation failure on x32). (Gustavo)
   . Fixed bug #64853 (Use of no longer available ini directives causes crash on
     TS build). (Anatol)
diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c
index 28dcc63..0df1273 100644
--- a/ext/standard/quot_print.c
+++ b/ext/standard/quot_print.c
@@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len
 	unsigned char c, *ret, *d;
 	char *hex = "0123456789ABCDEF";
 
-	ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);
+	ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1);
 	d = ret;
 
 	while (length--) {
@@ -286,4 +286,4 @@ PHP_FUNCTION(quoted_printable_encode)
  * End:
  * vim600: sw=4 ts=4 fdm=marker
  * vim<600: sw=4 ts=4
- */
\ No newline at end of file
+ */
diff --git a/ext/standard/tests/strings/bug64879.phpt b/ext/standard/tests/strings/bug64879.phpt
new file mode 100644
index 0000000..1df90c6
--- /dev/null
+++ b/ext/standard/tests/strings/bug64879.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110)
+--FILE--
+<?php
+
+quoted_printable_encode(str_repeat("\xf4", 1000)); 
+quoted_printable_encode(str_repeat("\xf4", 100000)); 
+
+echo "Done\n";
+?>
+--EXPECTF--	
+Done
-- 
1.7.1

 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 23:01:58 2014 UTC