diff options
author | Nikita Popov <nikita.ppv@gmail.com> | 2020-01-29 12:19:28 +0100 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2020-01-29 12:19:28 +0100 |
commit | 5589bf4d4af830b2a081475cf8065bf1ed9cf19a (patch) | |
tree | 25f2212503d7f04f8912d5ff927e5f652f84d599 | |
parent | 91f878779cdad878ae664e2abad83a2967ae56d1 (diff) | |
download | php-git-5589bf4d4af830b2a081475cf8065bf1ed9cf19a.tar.gz |
Fix length inconsistency in mb_convert_encoding
Don't mix strlen() and ZSTR_LEN(). If the encoding contains a
NULL byte, this will overflow the buffer.
NULL bytes will still make this behave oddly because the consuming
code will cut off the string there, but let's address that in master...
-rw-r--r-- | ext/mbstring/mbstring.c | 2 | ||||
-rw-r--r-- | ext/mbstring/tests/bug79149.phpt | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c index 78557e7f94..d6b633ff3a 100644 --- a/ext/mbstring/mbstring.c +++ b/ext/mbstring/mbstring.c @@ -3370,7 +3370,7 @@ PHP_FUNCTION(mb_convert_encoding) if ( _from_encodings) { l = strlen(_from_encodings); - n = strlen(ZSTR_VAL(encoding_str)); + n = ZSTR_LEN(encoding_str); _from_encodings = erealloc(_from_encodings, l+n+2); memcpy(_from_encodings + l, ",", 1); memcpy(_from_encodings + l + 1, ZSTR_VAL(encoding_str), ZSTR_LEN(encoding_str) + 1); diff --git a/ext/mbstring/tests/bug79149.phpt b/ext/mbstring/tests/bug79149.phpt index fc3751d933..fe2007536e 100644 --- a/ext/mbstring/tests/bug79149.phpt +++ b/ext/mbstring/tests/bug79149.phpt @@ -8,6 +8,7 @@ if (!extension_loaded('mbstring')) die('skip mbstring extension not available'); <?php var_dump(mb_convert_encoding("", "UTF-8", [0])); var_dump(mb_convert_encoding('foo', 'UTF-8', array(['bar'], ['baz']))); +var_dump(mb_convert_encoding('foo', 'UTF-8', array("foo\0bar"))); ?> --EXPECTF-- Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d @@ -19,3 +20,6 @@ Notice: Array to string conversion in %s on line %d Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d string(3) "foo" + +Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d +string(3) "foo" |