diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-06-08 13:44:40 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-06-21 18:44:14 -0700 |
| commit | 6027c56fd727d2c4b193b96fee19cdbb4a128447 (patch) | |
| tree | 0befc0886398e40feb204899f7fbfaa5102ce0d0 | |
| parent | aef6432fbe9cd9b75e29acda226c34d57e434dec (diff) | |
| download | php-git-6027c56fd727d2c4b193b96fee19cdbb4a128447.tar.gz | |
Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/intl/locale/locale_methods.c | 10 | ||||
| -rw-r--r-- | ext/intl/tests/bug67397.phpt | 21 |
3 files changed, 32 insertions, 1 deletions
@@ -33,6 +33,8 @@ PHP NEWS - Intl: . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas) + . Fixed bug #67397 (Buffer overflow in locale_get_display_name and + uloc_getDisplayName (libicu 4.8.1)). (Stas) - Network: . Fixed bug #67432 (Fix potential segfault in dns_get_record()). diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index f6b3142fc5..3bb5648356 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -500,8 +500,16 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME RETURN_FALSE; } + if(loc_name_len > ULOC_FULLNAME_CAPACITY) { + /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */ + spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name ); + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, msg , 1 TSRMLS_CC ); + efree(msg); + RETURN_FALSE; + } + if(loc_name_len == 0) { - loc_name = INTL_G(default_locale); + loc_name = INTL_G(default_locale); } if( strcmp(tag_name, DISP_NAME) != 0 ){ diff --git a/ext/intl/tests/bug67397.phpt b/ext/intl/tests/bug67397.phpt new file mode 100644 index 0000000000..b2b2911f8a --- /dev/null +++ b/ext/intl/tests/bug67397.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1)) +--SKIPIF-- +<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?> +--FILE-- +<?php + +function ut_main() +{ + $ret = var_export(ut_loc_get_display_name(str_repeat('*', 256), 'en_us'), true); + $ret .= "\n"; + $ret .= var_export(intl_get_error_message(), true); + return $ret; +} + +include_once( 'ut_common.inc' ); +ut_run(); +?> +--EXPECTF-- +false +'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR' |