From 89d372ba272cfdf47c35b8053e6f53083d2feace Mon Sep 17 00:00:00 2001 From: Moriyoshi Koizumi Date: Tue, 9 Nov 2010 03:23:04 +0000 Subject: [PATCH] - Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter). --- NEWS | 1 + ext/mbstring/libmbfl/mbfl/mbfilter.c | 4 +++ .../mb_strcut_missing_boundary_check.phpt | 31 +++++++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt diff --git a/NEWS b/NEWS index 507ef48d00..7f8fb0a9ab 100644 --- a/NEWS +++ b/NEWS @@ -55,6 +55,7 @@ - Fixed the filter extension accepting IPv4 octets with a leading 0 as that belongs to the unsupported "dotted octal" representation. (Gustavo) +- Fixed bug #53273 (mb_strcut() returns garbage with the excessive length parameter). (CVE-2010-4156) (Mateusz Kocielski, Pierre, Moriyoshi) - Fixed bug #53248 (rawurlencode RFC 3986 EBCDIC support misses tilde char). (Justin Martin) - Fixed bug #53241 (stream casting that relies on fdopen/fopencookie fails diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c index d11cebe447..b8b1db2683 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.c +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c @@ -1397,6 +1397,10 @@ mbfl_strcut( start = string->val + from; end = start + (length & -4); } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { + if (from + length >= string->len) { + length = string->len - from; + } + start = string->val + from; end = start + length; } else if (encoding->mblen_table != NULL) { diff --git a/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt b/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt new file mode 100644 index 0000000000..a67b99e7da --- /dev/null +++ b/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt @@ -0,0 +1,31 @@ +--TEST-- +mb_strcut() missing boundary check. +--SKIPIF-- + +--FILE-- +