Patch bug67397-patch for Unicode Engine related Bug #67397

Patch version 2014-06-08 20:45 UTC

• 2014-06-08 20:45 UTC [diff to current]

Developer: stas@php.net

commit 4bc7732398d5024b8486274bec9b0b690e1f069f
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Jun 8 13:44:40 2014 -0700

    Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))

diff --git a/NEWS b/NEWS
index bb2cb1f..69047b1 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ PHP                                                                        NEWS
 - Fileinfo:
   . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check).
 
+- Intl:
+  . Fixed bug #67397 (Buffer overflow in locale_get_display_name 
+    and uloc_getDisplayName (libicu 4.8.1)). (Stas)
+
 - SPL:
   . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence)
   . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam)
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index 9c5b09a..4afcb15 100644
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -501,8 +501,16 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME
 		RETURN_FALSE;
 	}
 
+    if(loc_name_len > ULOC_FULLNAME_CAPACITY) {
+        /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */
+		spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name );
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,  msg , 1 TSRMLS_CC );
+		efree(msg);
+		RETURN_FALSE;
+    }
+
 	if(loc_name_len == 0) {
-	loc_name = INTL_G(default_locale);
+        loc_name = INTL_G(default_locale);
 	}
 
 	if( strcmp(tag_name, DISP_NAME) != 0 ){
diff --git a/ext/intl/tests/bug67397.phpt b/ext/intl/tests/bug67397.phpt
new file mode 100644
index 0000000..b2b2911
--- /dev/null
+++ b/ext/intl/tests/bug67397.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+    $ret = var_export(ut_loc_get_display_name(str_repeat('*', 256), 'en_us'), true);
+    $ret .= "\n";
+    $ret .= var_export(intl_get_error_message(), true);
+    return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR'