From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 5 Sep 2002 14:00:28 +0000 (+0000)
Subject: Fixed a buffer overflow that occurs when wordwrap is unable to calculate
X-Git-Tag: RELEASE_0_91~92
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=eb58557e1cc244218c867437d7e018eb6a64e553;p=php

Fixed a buffer overflow that occurs when wordwrap is unable to calculate
the correct number of times the multi-byte break needs to be inserted into
the string.
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 544d623769..ed97392740 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -640,13 +640,14 @@ PHP_FUNCTION(wordwrap)
 	else {
 		/* Multiple character line break or forced cut */
 		if (linelength > 0) {
-			newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
+			/* Add extra 10% to accomodate strings with unpredicatable number of breaks */
+			newtextlen = textlen + (textlen/linelength + 1) * breakcharlen * 1.1 + 1;
 		}
 		else {
 			newtextlen = textlen * (breakcharlen + 1) + 1;
 		}
 		newtext = emalloc(newtextlen);
-
+	
 		/* now keep track of the actual new text length */
 		newtextlen = 0;
 
@@ -705,6 +706,8 @@ PHP_FUNCTION(wordwrap)
 		}
 
 		newtext[newtextlen] = '\0';
+		/* free unused memory */
+		newtext = erealloc(newtext, newtextlen+1);
 
 		RETURN_STRINGL(newtext, newtextlen, 0);
 	}