Fix bug #67349: Locale::parseLocale Double Free

diff --git a/NEWS b/NEWS
index ce9398e586bdaf1c5773da24b40c572279ab2042..37dcc63eb09ee86a04abb479a7f6ac25cd409898 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,7 @@ PHP                                                                        NEWS
   . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas)
 
 - CLI server:
-  . Fixed Bug #67406i (built-in web-server segfaults on startup). (Remi)
+  . Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi)
 
 - Date:
   . Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
@@ -31,6 +31,9 @@ PHP                                                                        NEWS
   . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary
     check). (CVE-2014-3487) (Francisco Alonso, Jan Kaluza, Remi)
 
+- Intl:
+  . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas)
+
 - Network:
   . Fixed bug #67432 (Fix potential segfault in dns_get_record()). 
     (CVE-2014-4049). (Sara)

diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index 9c5b09a7bcc962b0de8208b02e2bbb81b71ce01a..f6b3142fc50f6629e25831b814a03de9403357f3 100644 (file)
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -272,8 +272,7 @@ static char* get_icu_value_internal( char* loc_name , char* tag_name, int* resul
                grOffset =  findOffset( LOC_GRANDFATHERED , loc_name );
                if( grOffset >= 0 ){
                        if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
-                               tag_value = estrdup(loc_name);
-                               return tag_value;
+                               return estrdup(loc_name);
                        } else {
                                /* Since Grandfathered , no value , do nothing , retutn NULL */
                                return NULL;
@@ -283,8 +282,8 @@ static char* get_icu_value_internal( char* loc_name , char* tag_name, int* resul
        if( fromParseLocale==1 ){
                /* Handle singletons */
                if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
-                       if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){
-                               return loc_name;
+                       if( strlen(loc_name)>1 && isIDPrefix(loc_name) ){
+                               return estrdup(loc_name);
                        }
                }
 

diff --git a/ext/intl/tests/locale_parse_locale2.phpt b/ext/intl/tests/locale_parse_locale2.phpt
index 6012862a48928154d791bc693d00d2f2a772588a..30cc8cc0ae5a88d76003787afe6aea15578fdd55 100644 (file)
--- a/ext/intl/tests/locale_parse_locale2.phpt
+++ b/ext/intl/tests/locale_parse_locale2.phpt
@@ -63,7 +63,8 @@ function ut_main()
 //Some Invalid Tags:
         'de-419-DE',
         'a-DE',
-        'ar-a-aaa-b-bbb-a-ccc'
+        'ar-a-aaa-b-bbb-a-ccc',
+       'x-AAAAAA',
     );
 
 
@@ -201,3 +202,6 @@ No values found from Locale parsing.
 ---------------------
 ar-a-aaa-b-bbb-a-ccc:
 language : 'ar' ,
+---------------------
+x-AAAAAA:
+private0 : 'AAAAAA' ,