Patch fix-71606 for mbstring related Bug #71606
Patch version 2016-07-30 22:41 UTC
Return to Bug #71606 |
Download this patch
Patch Revisions:
Developer: cmb@php.net
From eb20600719ccafe8380506e0b6b82b118feb1942 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Sat, 30 Jul 2016 16:58:43 +0200
Subject: [PATCH] Fix #71606: Segmentation fault mb_strcut + mb_list_encodings
The HTML decoding filter uses the `opaque` member of mbfl_convert_filter
as buffer, but there was no copy constructor defined, what caused double
frees when the filter is copied (what happens multiple times in mb_strcut(),
for instance).
---
NEWS | 1 +
ext/mbstring/libmbfl/filters/mbfilter_htmlent.c | 10 ++++++++--
ext/mbstring/libmbfl/filters/mbfilter_htmlent.h | 1 +
ext/mbstring/tests/bug71606.phpt | 13 +++++++++++++
4 files changed, 23 insertions(+), 2 deletions(-)
create mode 100644 ext/mbstring/tests/bug71606.phpt
diff --git a/NEWS b/NEWS
index 49d6c32..9ef68b1 100644
--- a/NEWS
+++ b/NEWS
@@ -56,6 +56,7 @@ PHP NEWS
position). (cmb)
. Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
(ju1ius)
+ . Fixed bug #71606 (Segmentation fault mb_strcut + mb_list_encodings). (cmb)
- PCRE:
. Fixed bug #72688 (preg_match missing group names in matches). (cmb)
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
index 56c364d..e2e76fe 100644
--- a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
+++ b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
@@ -88,7 +88,8 @@ const struct mbfl_convert_vtbl vtbl_html_wchar = {
mbfl_filt_conv_html_dec_ctor,
mbfl_filt_conv_html_dec_dtor,
mbfl_filt_conv_html_dec,
- mbfl_filt_conv_html_dec_flush };
+ mbfl_filt_conv_html_dec_flush,
+ mbfl_filt_conv_html_dec_copy };
#define CK(statement) do { if ((statement) < 0) return (-1); } while (0)
@@ -309,4 +310,9 @@ int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
return err;
}
-
+void mbfl_filt_conv_html_dec_copy(mbfl_convert_filter *src, mbfl_convert_filter *dest)
+{
+ *dest = *src;
+ dest->opaque = mbfl_malloc(html_enc_buffer_size+1);
+ memcpy(dest->opaque, src->opaque, html_enc_buffer_size+1);
+}
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
index 99827c2..11a8693 100644
--- a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
+++ b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
@@ -42,6 +42,7 @@ int mbfl_filt_conv_html_enc(int c, mbfl_convert_filter *filter);
int mbfl_filt_conv_html_enc_flush(mbfl_convert_filter *filter);
int mbfl_filt_conv_html_dec(int c, mbfl_convert_filter *filter);
int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter);
+void mbfl_filt_conv_html_dec_copy(mbfl_convert_filter *src, mbfl_convert_filter *dest);
void mbfl_filt_conv_html_dec_ctor(mbfl_convert_filter *filter);
void mbfl_filt_conv_html_dec_dtor(mbfl_convert_filter *filter);
diff --git a/ext/mbstring/tests/bug71606.phpt b/ext/mbstring/tests/bug71606.phpt
new file mode 100644
index 0000000..a09d7ad
--- /dev/null
+++ b/ext/mbstring/tests/bug71606.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #71606 (Segmentation fault mb_strcut + mb_list_encodings)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip ext/mbstring not available');
+?>
+--FILE--
+<?php
+echo mb_strcut('"', 0, 0, 'HTML-ENTITIES');
+echo 'DONE', PHP_EOL;
+?>
+--EXPECT--
+DONE
--
2.8.1.windows.1
|
Copyright © 2001-2024 The PHP Group