From 5fce3f4e02ba374e9c364736443ee6e2292364fa Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 19 Sep 2007 00:42:20 +0000
Subject: [PATCH] MFB length tests

---
 .../iconv-charset-length-cve-2007-4840.phpt   | 17 +++++++++++++++
 ...e_decode-charset-length-cve-2007-4840.phpt | 13 ++++++++++++
 ..._headers-charset-length-cve-2007-4840.phpt | 13 ++++++++++++
 ...encoding-charset-length-cve-2007-4840.phpt | 21 +++++++++++++++++++
 ...v_strlen-charset-length-cve-2007-4840.phpt | 13 ++++++++++++
 ...v_strpos-charset-length-cve-2007-4840.phpt | 13 ++++++++++++
 ..._strrpos-charset-length-cve-2007-4840.phpt | 13 ++++++++++++
 ...v_substr-charset-length-cve-2007-4783.phpt | 14 +++++++++++++
 8 files changed, 117 insertions(+)
 create mode 100755 ext/iconv/tests/iconv-charset-length-cve-2007-4840.phpt
 create mode 100755 ext/iconv/tests/iconv_mime_decode-charset-length-cve-2007-4840.phpt
 create mode 100755 ext/iconv/tests/iconv_mime_decode_headers-charset-length-cve-2007-4840.phpt
 create mode 100755 ext/iconv/tests/iconv_set_encoding-charset-length-cve-2007-4840.phpt
 create mode 100755 ext/iconv/tests/iconv_strlen-charset-length-cve-2007-4840.phpt
 create mode 100755 ext/iconv/tests/iconv_strpos-charset-length-cve-2007-4840.phpt
 create mode 100755 ext/iconv/tests/iconv_strrpos-charset-length-cve-2007-4840.phpt
 create mode 100755 ext/iconv/tests/iconv_substr-charset-length-cve-2007-4783.phpt

diff --git a/ext/iconv/tests/iconv-charset-length-cve-2007-4840.phpt b/ext/iconv/tests/iconv-charset-length-cve-2007-4840.phpt
new file mode 100755
index 0000000000..03b3574d6e
--- /dev/null
+++ b/ext/iconv/tests/iconv-charset-length-cve-2007-4840.phpt
@@ -0,0 +1,17 @@
+--TEST--
+iconv() charset parameter length checks (CVE-2007-4840)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat("/", 9000000);
+var_dump(iconv($a, "b", "test"));
+var_dump(iconv("x", $a, "test"));
+?>
+--EXPECTF--
+
+Warning: iconv(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
+
+Warning: iconv(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
diff --git a/ext/iconv/tests/iconv_mime_decode-charset-length-cve-2007-4840.phpt b/ext/iconv/tests/iconv_mime_decode-charset-length-cve-2007-4840.phpt
new file mode 100755
index 0000000000..d4ed01d956
--- /dev/null
+++ b/ext/iconv/tests/iconv_mime_decode-charset-length-cve-2007-4840.phpt
@@ -0,0 +1,13 @@
+--TEST--
+iconv_mime_decode() charset parameter length checks (CVE-2007-4840)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat("/", 9000000);
+var_dump(iconv_mime_decode("a", null, $a));
+?>
+--EXPECTF--
+
+Warning: iconv_mime_decode(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
diff --git a/ext/iconv/tests/iconv_mime_decode_headers-charset-length-cve-2007-4840.phpt b/ext/iconv/tests/iconv_mime_decode_headers-charset-length-cve-2007-4840.phpt
new file mode 100755
index 0000000000..48d664d600
--- /dev/null
+++ b/ext/iconv/tests/iconv_mime_decode_headers-charset-length-cve-2007-4840.phpt
@@ -0,0 +1,13 @@
+--TEST--
+iconv_mime_decode_headers() charset parameter length checks (CVE-2007-4840)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat("/", 9000000);
+var_dump(iconv_mime_decode_headers("a", null, $a));
+?>
+--EXPECTF--
+
+Warning: iconv_mime_decode_headers(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
diff --git a/ext/iconv/tests/iconv_set_encoding-charset-length-cve-2007-4840.phpt b/ext/iconv/tests/iconv_set_encoding-charset-length-cve-2007-4840.phpt
new file mode 100755
index 0000000000..e6abca5df1
--- /dev/null
+++ b/ext/iconv/tests/iconv_set_encoding-charset-length-cve-2007-4840.phpt
@@ -0,0 +1,21 @@
+--TEST--
+iconv_set_encoding() charset parameter length checks (CVE-2007-4840)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat("/", 9000000);
+var_dump(iconv_set_encoding("input_encoding", $a));
+var_dump(iconv_set_encoding("output_encoding", $a));
+var_dump(iconv_set_encoding("internal_encoding", $a));
+?>
+--EXPECTF--
+
+Warning: iconv_set_encoding(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
+
+Warning: iconv_set_encoding(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
+
+Warning: iconv_set_encoding(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
diff --git a/ext/iconv/tests/iconv_strlen-charset-length-cve-2007-4840.phpt b/ext/iconv/tests/iconv_strlen-charset-length-cve-2007-4840.phpt
new file mode 100755
index 0000000000..348cfb1265
--- /dev/null
+++ b/ext/iconv/tests/iconv_strlen-charset-length-cve-2007-4840.phpt
@@ -0,0 +1,13 @@
+--TEST--
+iconv_strlen() charset parameter length checks (CVE-2007-4840)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat("/", 9791999);
+var_dump(iconv_strlen(1, $a));
+?>
+--EXPECTF--
+
+Warning: iconv_strlen(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
diff --git a/ext/iconv/tests/iconv_strpos-charset-length-cve-2007-4840.phpt b/ext/iconv/tests/iconv_strpos-charset-length-cve-2007-4840.phpt
new file mode 100755
index 0000000000..4cb858f0db
--- /dev/null
+++ b/ext/iconv/tests/iconv_strpos-charset-length-cve-2007-4840.phpt
@@ -0,0 +1,13 @@
+--TEST--
+iconv_strpos() charset parameter length checks (CVE-2007-4840)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat("/", 9000000);
+var_dump(iconv_strpos("a", "b", 0, $a));
+?>
+--EXPECTF--
+
+Warning: iconv_strpos(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
diff --git a/ext/iconv/tests/iconv_strrpos-charset-length-cve-2007-4840.phpt b/ext/iconv/tests/iconv_strrpos-charset-length-cve-2007-4840.phpt
new file mode 100755
index 0000000000..948cc67c77
--- /dev/null
+++ b/ext/iconv/tests/iconv_strrpos-charset-length-cve-2007-4840.phpt
@@ -0,0 +1,13 @@
+--TEST--
+iconv_strrpos() charset parameter length checks (CVE-2007-4840)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat("/", 9000000);
+var_dump(iconv_strrpos("a", "b", $a));
+?>
+--EXPECTF--
+
+Warning: iconv_strrpos(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
diff --git a/ext/iconv/tests/iconv_substr-charset-length-cve-2007-4783.phpt b/ext/iconv/tests/iconv_substr-charset-length-cve-2007-4783.phpt
new file mode 100755
index 0000000000..c27e60d1dd
--- /dev/null
+++ b/ext/iconv/tests/iconv_substr-charset-length-cve-2007-4783.phpt
@@ -0,0 +1,14 @@
+--TEST--
+iconv_substr() charset parameter length checks (CVE-2007-4783)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$a = str_repeat('A', 99897);
+$b = str_repeat('/', 2798349);
+var_dump(iconv_substr($a, 0, 1, $b));
+?>
+--EXPECTF--
+
+Warning: iconv_substr(): Charset parameter exceeds the maximum allowed length of %d characters in %s on line %d
+bool(false)
-- 
2.50.1