Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName ...

diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index 0afbba2a517e5c725a02a845016b663c41143d6c..881e35618ecdbc3cb88a82dffa81b89d8fc5ae2b 100644 (file)
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -497,8 +497,16 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME
                RETURN_FALSE;
        }
 
+    if(loc_name_len > ULOC_FULLNAME_CAPACITY) {
+        /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */
+               spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name );
+               intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,  msg , 1 TSRMLS_CC );
+               efree(msg);
+               RETURN_FALSE;
+    }
+
        if(loc_name_len == 0) {
-       loc_name = INTL_G(default_locale);
+        loc_name = INTL_G(default_locale);
        }
 
        if( strcmp(tag_name, DISP_NAME) != 0 ){

diff --git a/ext/intl/tests/bug67397.phpt b/ext/intl/tests/bug67397.phpt
new file mode 100644 (file)
index 0000000..b2b2911
--- /dev/null
+++ b/ext/intl/tests/bug67397.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+    $ret = var_export(ut_loc_get_display_name(str_repeat('*', 256), 'en_us'), true);
+    $ret .= "\n";
+    $ret .= var_export(intl_get_error_message(), true);
+    return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR'