Fixed a buffer overflow that occurs when wordwrap is unable to calculate

the correct number of times the multi-byte break needs to be inserted into
the string.

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 544d6237690b27c9eb8a48756427253e9860af7b..ed97392740df558b336741c25871a6200de677a7 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -640,13 +640,14 @@ PHP_FUNCTION(wordwrap)
        else {
                /* Multiple character line break or forced cut */
                if (linelength > 0) {
-                       newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
+                       /* Add extra 10% to accomodate strings with unpredicatable number of breaks */
+                       newtextlen = textlen + (textlen/linelength + 1) * breakcharlen * 1.1 + 1;
                }
                else {
                        newtextlen = textlen * (breakcharlen + 1) + 1;
                }
                newtext = emalloc(newtextlen);
-
+       
                /* now keep track of the actual new text length */
                newtextlen = 0;
 
@@ -705,6 +706,8 @@ PHP_FUNCTION(wordwrap)
                }
 
                newtext[newtextlen] = '\0';
+               /* free unused memory */
+               newtext = erealloc(newtext, newtextlen+1);
 
                RETURN_STRINGL(newtext, newtextlen, 0);
        }