From: Moriyoshi Koizumi <moriyoshi@php.net>
Date: Tue, 9 Nov 2010 03:23:04 +0000 (+0000)
Subject: - Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter).
X-Git-Tag: php-5.3.4RC1~64
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=89d372ba272cfdf47c35b8053e6f53083d2feace;p=php

- Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter).
---

diff --git a/NEWS b/NEWS
index 507ef48d00..7f8fb0a9ab 100644
--- a/NEWS
+++ b/NEWS
@@ -55,6 +55,7 @@
 - Fixed the filter extension accepting IPv4 octets with a leading 0 as that
   belongs to the unsupported "dotted octal" representation. (Gustavo)
 
+- Fixed bug #53273 (mb_strcut() returns garbage with the excessive length parameter). (CVE-2010-4156) (Mateusz Kocielski, Pierre, Moriyoshi)
 - Fixed bug #53248 (rawurlencode RFC 3986 EBCDIC support misses tilde char).
   (Justin Martin)
 - Fixed bug #53241 (stream casting that relies on fdopen/fopencookie fails
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
index d11cebe447..b8b1db2683 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -1397,6 +1397,10 @@ mbfl_strcut(
 			start = string->val + from;
 			end   = start + (length & -4);
 		} else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) {
+			if (from + length >= string->len) {
+				length = string->len - from;
+			}
+
 			start = string->val + from;
 			end = start + length;
 		} else if (encoding->mblen_table != NULL) {
diff --git a/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt b/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
new file mode 100644
index 0000000000..a67b99e7da
--- /dev/null
+++ b/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
@@ -0,0 +1,31 @@
+--TEST--
+mb_strcut() missing boundary check.
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is not available in this build");
+?>
+--FILE--
+<?php
+mb_internal_encoding("UCS-4LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 0, 32)));
+mb_internal_encoding("UCS-4BE");
+var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 0, 32)));
+mb_internal_encoding("UCS-2LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32)));
+mb_internal_encoding("UCS-2BE");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-16");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-8");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+mb_internal_encoding("ISO-8859-1");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+--EXPECT--
+string(24) "610000006200000063000000"
+string(24) "000000610000006200000063"
+string(12) "610062006300"
+string(12) "006100620063"
+string(12) "006100620063"
+string(6) "616263"
+string(6) "616263"