php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #71606
Patch fix-71606 revision 2016-07-30 22:41 UTC by cmb@php.net

Patch fix-71606 for mbstring related Bug #71606

Patch version 2016-07-30 22:41 UTC

Return to Bug #71606 | Download this patch
Patch Revisions:

Developer: cmb@php.net

From eb20600719ccafe8380506e0b6b82b118feb1942 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Sat, 30 Jul 2016 16:58:43 +0200
Subject: [PATCH] Fix #71606: Segmentation fault mb_strcut + mb_list_encodings

The HTML decoding filter uses the `opaque` member of mbfl_convert_filter
as buffer, but there was no copy constructor defined, what caused double
frees when the filter is copied (what happens multiple times in mb_strcut(),
for instance).
---
 NEWS                                            |  1 +
 ext/mbstring/libmbfl/filters/mbfilter_htmlent.c | 10 ++++++++--
 ext/mbstring/libmbfl/filters/mbfilter_htmlent.h |  1 +
 ext/mbstring/tests/bug71606.phpt                | 13 +++++++++++++
 4 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 ext/mbstring/tests/bug71606.phpt

diff --git a/NEWS b/NEWS
index 49d6c32..9ef68b1 100644
--- a/NEWS
+++ b/NEWS
@@ -56,6 +56,7 @@ PHP                                                                        NEWS
     position). (cmb)
   . Fixed bug #72710 (`mb_ereg` causes buffer overflow on regexp compile error).
     (ju1ius)
+  . Fixed bug #71606 (Segmentation fault mb_strcut + mb_list_encodings). (cmb)
 
 - PCRE:
   . Fixed bug #72688 (preg_match missing group names in matches). (cmb)
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
index 56c364d..e2e76fe 100644
--- a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
+++ b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.c
@@ -88,7 +88,8 @@ const struct mbfl_convert_vtbl vtbl_html_wchar = {
 	mbfl_filt_conv_html_dec_ctor,
 	mbfl_filt_conv_html_dec_dtor,
 	mbfl_filt_conv_html_dec,
-	mbfl_filt_conv_html_dec_flush };
+	mbfl_filt_conv_html_dec_flush,
+	mbfl_filt_conv_html_dec_copy };
 
 
 #define CK(statement)	do { if ((statement) < 0) return (-1); } while (0)
@@ -309,4 +310,9 @@ int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter)
 	return err;
 }
 
-
+void mbfl_filt_conv_html_dec_copy(mbfl_convert_filter *src, mbfl_convert_filter *dest)
+{
+	*dest = *src;
+	dest->opaque = mbfl_malloc(html_enc_buffer_size+1);
+	memcpy(dest->opaque, src->opaque, html_enc_buffer_size+1);
+}
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
index 99827c2..11a8693 100644
--- a/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
+++ b/ext/mbstring/libmbfl/filters/mbfilter_htmlent.h
@@ -42,6 +42,7 @@ int mbfl_filt_conv_html_enc(int c, mbfl_convert_filter *filter);
 int mbfl_filt_conv_html_enc_flush(mbfl_convert_filter *filter);
 int mbfl_filt_conv_html_dec(int c, mbfl_convert_filter *filter);
 int mbfl_filt_conv_html_dec_flush(mbfl_convert_filter *filter);
+void mbfl_filt_conv_html_dec_copy(mbfl_convert_filter *src, mbfl_convert_filter *dest);
 void mbfl_filt_conv_html_dec_ctor(mbfl_convert_filter *filter);
 void mbfl_filt_conv_html_dec_dtor(mbfl_convert_filter *filter);
 
diff --git a/ext/mbstring/tests/bug71606.phpt b/ext/mbstring/tests/bug71606.phpt
new file mode 100644
index 0000000..a09d7ad
--- /dev/null
+++ b/ext/mbstring/tests/bug71606.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #71606 (Segmentation fault mb_strcut + mb_list_encodings)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip ext/mbstring not available');
+?>
+--FILE--
+<?php
+echo mb_strcut('&quot;', 0, 0, 'HTML-ENTITIES');
+echo 'DONE', PHP_EOL;
+?>
+--EXPECT--
+DONE
-- 
2.8.1.windows.1

 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Jun 21 18:01:52 2018 UTC