fix CVE-2013-2110 - use correct formula to calculate string size

author: Stanislav Malyshev <stas@php.net> 2013-05-20 00:43:29 -0700
committer: Stanislav Malyshev <stas@php.net> 2013-06-04 21:56:33 -0700
commit: 93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 (patch)
tree: 547aeef6268635df6c3b89a8599be968272c3b46 /ext
parent: 2463e8979470a8e61b17c28ae8f8f1dad63f856f (diff)
download: php-git-93e0d78ec655f59ebfa82b2c6f8486c43651c1d0.tar.gz
2 files changed, 13 insertions, 1 deletions
diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c
index 280b86a9a2..6627858989 100644
--- a/ext/standard/quot_print.c
+++ b/ext/standard/quot_print.c
@@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len
 	unsigned char c, *ret, *d;
 	char *hex = "0123456789ABCDEF";
 
-	ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);
+	ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1);
 	d = ret;
 
 	while (length--) {
diff --git a/ext/standard/tests/strings/bug64879.phpt b/ext/standard/tests/strings/bug64879.phpt
new file mode 100644
index 0000000000..1df90c6d85
--- /dev/null
+++ b/ext/standard/tests/strings/bug64879.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110)
+--FILE--
+<?php
+
+quoted_printable_encode(str_repeat("\xf4", 1000)); 
+quoted_printable_encode(str_repeat("\xf4", 100000)); 
+
+echo "Done\n";
+?>
+--EXPECTF--	
+Done
author	Stanislav Malyshev <stas@php.net>	2013-05-20 00:43:29 -0700
committer	Stanislav Malyshev <stas@php.net>	2013-06-04 21:56:33 -0700
commit	93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 (patch)
tree	547aeef6268635df6c3b89a8599be968272c3b46 /ext
parent	2463e8979470a8e61b17c28ae8f8f1dad63f856f (diff)
download	php-git-93e0d78ec655f59ebfa82b2c6f8486c43651c1d0.tar.gz