diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/mbstring/libmbfl/mbfl/mbfilter.c | 4 | ||||
| -rw-r--r-- | ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt | 31 |
3 files changed, 36 insertions, 0 deletions
@@ -55,6 +55,7 @@ - Fixed the filter extension accepting IPv4 octets with a leading 0 as that belongs to the unsupported "dotted octal" representation. (Gustavo) +- Fixed bug #53273 (mb_strcut() returns garbage with the excessive length parameter). (CVE-2010-4156) (Mateusz Kocielski, Pierre, Moriyoshi) - Fixed bug #53248 (rawurlencode RFC 3986 EBCDIC support misses tilde char). (Justin Martin) - Fixed bug #53241 (stream casting that relies on fdopen/fopencookie fails diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c index d11cebe447..b8b1db2683 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.c +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c @@ -1397,6 +1397,10 @@ mbfl_strcut( start = string->val + from; end = start + (length & -4); } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { + if (from + length >= string->len) { + length = string->len - from; + } + start = string->val + from; end = start + length; } else if (encoding->mblen_table != NULL) { diff --git a/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt b/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt new file mode 100644 index 0000000000..a67b99e7da --- /dev/null +++ b/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt @@ -0,0 +1,31 @@ +--TEST-- +mb_strcut() missing boundary check. +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is not available in this build"); +?> +--FILE-- +<?php +mb_internal_encoding("UCS-4LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 0, 32))); +mb_internal_encoding("UCS-4BE"); +var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 0, 32))); +mb_internal_encoding("UCS-2LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32))); +mb_internal_encoding("UCS-2BE"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-16"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-8"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +mb_internal_encoding("ISO-8859-1"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +--EXPECT-- +string(24) "610000006200000063000000" +string(24) "000000610000006200000063" +string(12) "610062006300" +string(12) "006100620063" +string(12) "006100620063" +string(6) "616263" +string(6) "616263" |