]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 91f8787)
Fix length inconsistency in mb_convert_encoding
authorNikita Popov <nikita.ppv@gmail.com>
Wed, 29 Jan 2020 11:19:28 +0000 (12:19 +0100)
committerNikita Popov <nikita.ppv@gmail.com>
Wed, 29 Jan 2020 11:19:28 +0000 (12:19 +0100)
Don't mix strlen() and ZSTR_LEN(). If the encoding contains a
NULL byte, this will overflow the buffer.

NULL bytes will still make this behave oddly because the consuming
code will cut off the string there, but let's address that in master...

ext/mbstring/mbstring.c patch | blob | history
ext/mbstring/tests/bug79149.phpt patch | blob | history

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 78557e7f942f0d2d4c44b6baa93d7dd2502d572b..d6b633ff3a1b13291ccd1c7c8e2732d9688eb604 100644 (file)
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3370,7 +3370,7 @@ PHP_FUNCTION(mb_convert_encoding)
 
                                        if ( _from_encodings) {
                                                l = strlen(_from_encodings);
-                                               n = strlen(ZSTR_VAL(encoding_str));
+                                               n = ZSTR_LEN(encoding_str);
                                                _from_encodings = erealloc(_from_encodings, l+n+2);
                                                memcpy(_from_encodings + l, ",", 1);
                                                memcpy(_from_encodings + l + 1, ZSTR_VAL(encoding_str), ZSTR_LEN(encoding_str) + 1);
diff --git a/ext/mbstring/tests/bug79149.phpt b/ext/mbstring/tests/bug79149.phpt
index fc3751d933ad8dcbb9c27bb47707156c849c6973..fe2007536e35e55b328cd45612056f8555804091 100644 (file)
--- a/ext/mbstring/tests/bug79149.phpt
+++ b/ext/mbstring/tests/bug79149.phpt
@@ -8,6 +8,7 @@ if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
 <?php
 var_dump(mb_convert_encoding("", "UTF-8", [0]));
 var_dump(mb_convert_encoding('foo', 'UTF-8', array(['bar'], ['baz'])));
+var_dump(mb_convert_encoding('foo', 'UTF-8', array("foo\0bar")));
 ?>
 --EXPECTF--
 Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d
@@ -19,3 +20,6 @@ Notice: Array to string conversion in %s on line %d
 
 Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d
 string(3) "foo"
+
+Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d
+string(3) "foo"
Unnamed repository; edit this file 'description' to name the repository.