?? ??? 2018, PHP 5.6.40
- GD:
- . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
+ . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
use-after-free). (cmb)
. Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
- Mbstring:
. Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
- . Fixed bug #77371 (heap buffer overflow in mb regex functions
+ . Fixed bug #77371 (heap buffer overflow in mb regex functions
- compile_string_node). (Stas)
. Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
- . Fixed bug #77382 (heap buffer overflow due to incorrect length in
+ . Fixed bug #77382 (heap buffer overflow due to incorrect length in
expand_case_fold_string). (Stas)
. Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
. Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
+ . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
- Phar:
. Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
}
static OnigCodePoint
-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16be_mbc_to_code(const UChar* p, const UChar* end)
{
OnigCodePoint code;
if (UTF16_IS_SURROGATE_FIRST(*p)) {
+ if (end - p < 4) return 0;
code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
+ ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
+ p[3];
}
else {
+ if (end - p < 2) return 0;
code = p[0] * 256 + p[1];
}
return code;
}
static OnigCodePoint
-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16le_mbc_to_code(const UChar* p, const UChar* end)
{
OnigCodePoint code;
UChar c0 = *p;
UChar c1 = *(p+1);
if (UTF16_IS_SURROGATE_FIRST(c1)) {
+ if (end - p < 4) return 0;
code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16)
+ ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
+ p[2];
static OnigCodePoint
utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
{
+ if (end - p < 4) return 0;
return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
}
static OnigCodePoint
utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
{
+ if (end - p < 4) return 0;
return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
}
--- /dev/null
+--TEST--
+Bug #77371 (Heap overflow in utf32be_mbc_to_code)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+mb_regex_encoding("UTF-32");
+var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
+?>
+--EXPECT--
+array(1) {
+ [0]=>
+ string(30) "000000000000000000000000000000"
+}
projects / php / commitdiff