diff options
author | Gustavo André dos Santos Lopes <cataphract@php.net> | 2012-02-05 09:59:33 +0000 |
---|---|---|
committer | Gustavo André dos Santos Lopes <cataphract@php.net> | 2012-02-05 09:59:33 +0000 |
commit | d4cf399cc47cd51c3cf942ef503a5cd6442fcd1d (patch) | |
tree | aeb9fc6fd7283b8650d19111de357c6a77df08a5 | |
parent | 53f5653bea55373690cc45d33912d62f539fddf9 (diff) | |
download | php-git-d4cf399cc47cd51c3cf942ef503a5cd6442fcd1d.tar.gz |
- Merge r323056 (see bug #60965).
-rw-r--r-- | NEWS | 5 | ||||
-rw-r--r-- | ext/standard/html.c | 17 | ||||
-rw-r--r-- | ext/standard/tests/strings/bug60965.phpt | 10 |
3 files changed, 26 insertions, 6 deletions
@@ -1,10 +1,13 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? Feb 2012, PHP 5.4.0 RC 8 +- Core: + . Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with + $double=false). (Gustavo) 02 Feb 2012, PHP 5.4.0 RC 7 - Core: - . Fix bug #60895 (Possible invalid handler usage in windows random + . Fixed bug #60895 (Possible invalid handler usage in windows random functions). (Pierre) . Fixed bug #51860 (Include fails with toplevel symlink to /). (Dmitry) . Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods. diff --git a/ext/standard/html.c b/ext/standard/html.c index c4bc504080..1d031195ba 100644 --- a/ext/standard/html.c +++ b/ext/standard/html.c @@ -1215,7 +1215,6 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char *old, size_t oldlen, size size_t cursor, maxlen, len; char *replaced; enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC); - int matches_map; int doctype = flags & ENT_HTML_DOC_TYPE_MASK; entity_table_opt entity_table; const enc_to_uni *to_uni_table = NULL; @@ -1253,12 +1252,14 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char *old, size_t oldlen, size } } + /* initial estimate */ if (oldlen < 64) { maxlen = 128; } else { maxlen = 2 * oldlen; } - replaced = emalloc(maxlen); + + replaced = emalloc(maxlen + 1); len = 0; cursor = 0; while (cursor < oldlen) { @@ -1271,7 +1272,7 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char *old, size_t oldlen, size /* guarantee we have at least 40 bytes to write. * In HTML5, entities may take up to 33 bytes */ if (len + 40 > maxlen) { - replaced = erealloc(replaced, maxlen += 128); + replaced = erealloc(replaced, (maxlen += 128) + 1); } if (status == FAILURE) { @@ -1291,7 +1292,6 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char *old, size_t oldlen, size mbsequence = &old[cursor_before]; mbseqlen = cursor - cursor_before; } - matches_map = 0; if (this_char != '&') { /* no entity on this position */ const unsigned char *rep = NULL; @@ -1302,12 +1302,15 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char *old, size_t oldlen, size goto pass_char_through; if (all) { /* false that CHARSET_PARTIAL_SUPPORT(charset) */ - /* look for entity for this char */ if (to_uni_table != NULL) { + /* !CHARSET_UNICODE_COMPAT therefore not UTF-8; since UTF-8 + * is the only multibyte encoding with !CHARSET_PARTIAL_SUPPORT, + * we're using a single byte encoding */ map_to_unicode(this_char, to_uni_table, &this_char); if (this_char == 0xFFFF) /* no mapping; pass through */ goto pass_char_through; } + /* the cursor may advance */ find_entity_for_char(this_char, charset, entity_table.ms_table, &rep, &rep_len, old, oldlen, &cursor); } else { @@ -1397,6 +1400,10 @@ encode_amp: } } /* checks passed; copy entity to result */ + /* entity size is unbounded, we may need more memory */ + if (maxlen < len + ent_len + 2 /* & and ; */) { + replaced = erealloc(replaced, (maxlen += ent_len + 128) + 1); + } replaced[len++] = '&'; memcpy(&replaced[len], &old[cursor], ent_len); len += ent_len; diff --git a/ext/standard/tests/strings/bug60965.phpt b/ext/standard/tests/strings/bug60965.phpt new file mode 100644 index 0000000000..57a3b1c947 --- /dev/null +++ b/ext/standard/tests/strings/bug60965.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #60965: Buffer overflow on htmlspecialchars/entities with $double=false +--FILE-- +<?php +echo htmlspecialchars('"""""""""""""""""""""""""""""""""""""""""""""', +ENT_QUOTES, 'UTF-8', false), "\n"; +echo "Done.\n"; +--EXPECT-- +""""""""""""""""""""""""""""""""""""""""""""" +Done. |