summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2013-06-04 21:57:16 -0700
committerStanislav Malyshev <stas@php.net>2013-06-04 21:58:44 -0700
commitefdeec3c0eb8e1bd9d14af37be6979fb46eda5df (patch)
tree825ac4a493eff40807d9d75809257273595a67c4
parent90bb28726bd0728059b0d58b1c063ae8ea250966 (diff)
parent93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 (diff)
downloadphp-git-efdeec3c0eb8e1bd9d14af37be6979fb46eda5df.tar.gz
Merge branch 'PHP-5.3' into PHP-5.4
* PHP-5.3: fix CVE-2013-2110 - use correct formula to calculate string size
-rw-r--r--NEWS8
-rw-r--r--ext/standard/quot_print.c4
-rw-r--r--ext/standard/tests/strings/bug64879.phpt12
3 files changed, 19 insertions, 5 deletions
diff --git a/NEWS b/NEWS
index 133a202cb7..371ec37238 100644
--- a/NEWS
+++ b/NEWS
@@ -20,12 +20,14 @@ PHP NEWS
?? ??? 2013, PHP 5.4.16
- Core:
- . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry)
+ . Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode,
+ CVE 2013-2110). (Stas)
+ . Fixed bug #64853 (Use of no longer available ini directives causes crash on
+ TS build). (Anatol)
. Fixed bug #64729 (compilation failure on x32). (Gustavo)
+ . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry)
. Fixed bug #64660 (Segfault on memory exhaustion within function definition).
(Stas, reported by Juha Kylmänen)
- . Fixed bug #64853 (Use of no longer available ini directives causes crash on
- TS build). (Anatol)
- Calendar:
. Fixed bug #64895 (Integer overflow in SndToJewish). (Remi)
diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c
index 28dcc63f13..0df127362f 100644
--- a/ext/standard/quot_print.c
+++ b/ext/standard/quot_print.c
@@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len
unsigned char c, *ret, *d;
char *hex = "0123456789ABCDEF";
- ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);
+ ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1);
d = ret;
while (length--) {
@@ -286,4 +286,4 @@ PHP_FUNCTION(quoted_printable_encode)
* End:
* vim600: sw=4 ts=4 fdm=marker
* vim<600: sw=4 ts=4
- */ \ No newline at end of file
+ */
diff --git a/ext/standard/tests/strings/bug64879.phpt b/ext/standard/tests/strings/bug64879.phpt
new file mode 100644
index 0000000000..1df90c6d85
--- /dev/null
+++ b/ext/standard/tests/strings/bug64879.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110)
+--FILE--
+<?php
+
+quoted_printable_encode(str_repeat("\xf4", 1000));
+quoted_printable_encode(str_repeat("\xf4", 100000));
+
+echo "Done\n";
+?>
+--EXPECTF--
+Done