diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-03-12 13:04:04 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-03-17 09:26:47 +0100 |
| commit | b8048de333325c21c9763aa0270c5cb54f03cbab (patch) | |
| tree | 3bb304ed76266cceb829118f22aa7d0d5b02fc06 | |
| parent | c099c71ea5c25cf6b435cbf288e35403c49c17a6 (diff) | |
| download | php-git-b8048de333325c21c9763aa0270c5cb54f03cbab.tar.gz | |
Fix #79371: mb_strtolower (UTF-32LE): stack-buffer-overflow
We make sure that negative values are properly compared.
(cherry picked from commit 1fdffd1c55d771ca22ae217784ab75fce592ad38)
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/mbstring/php_unicode.c | 2 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug79371.phpt | 14 |
3 files changed, 19 insertions, 1 deletions
@@ -30,6 +30,10 @@ PHP NEWS . Fixed bug #79282 (Use-of-uninitialized-value in exif). (CVE-2020-7064) (Nikita) +- MBstring: + . Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at + php_unicode_tolower_full). (CVE-2020-7065) (cmb) + - MySQLi: . Fixed bug #64032 (mysqli reports different client_version). (cmb) diff --git a/ext/mbstring/php_unicode.c b/ext/mbstring/php_unicode.c index ac452b6a20..acb16bf06e 100644 --- a/ext/mbstring/php_unicode.c +++ b/ext/mbstring/php_unicode.c @@ -315,7 +315,7 @@ static int convert_case_filter(int c, void *void_data) /* Handle invalid characters early, as we assign special meaning to * codepoints above 0xffffff. */ - if (UNEXPECTED(c > 0xffffff)) { + if (UNEXPECTED((unsigned) c > 0xffffff)) { (*data->next_filter->filter_function)(c, data->next_filter); return 0; } diff --git a/ext/mbstring/tests/bug79371.phpt b/ext/mbstring/tests/bug79371.phpt new file mode 100644 index 0000000000..3014feba53 --- /dev/null +++ b/ext/mbstring/tests/bug79371.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow) +--SKIPIF-- +<?php +if (!extension_loaded('mbstring')) die('skip mbstring extension not available'); +?> +--FILE-- +<?php +$bytes = array(0xef, 0xbf, 0xbd, 0xef); +$str = implode(array_map("chr", $bytes)); +var_dump(bin2hex(mb_strtolower($str, "UTF-32LE"))); +?> +--EXPECT-- +string(8) "3f000000" |