diff options
| author | Stanislav Malyshev <stas@php.net> | 2013-06-04 21:57:16 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2013-06-04 21:58:44 -0700 |
| commit | efdeec3c0eb8e1bd9d14af37be6979fb46eda5df (patch) | |
| tree | 825ac4a493eff40807d9d75809257273595a67c4 | |
| parent | 90bb28726bd0728059b0d58b1c063ae8ea250966 (diff) | |
| parent | 93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 (diff) | |
| download | php-git-efdeec3c0eb8e1bd9d14af37be6979fb46eda5df.tar.gz | |
Merge branch 'PHP-5.3' into PHP-5.4
* PHP-5.3:
fix CVE-2013-2110 - use correct formula to calculate string size
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | ext/standard/quot_print.c | 4 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug64879.phpt | 12 |
3 files changed, 19 insertions, 5 deletions
@@ -20,12 +20,14 @@ PHP NEWS ?? ??? 2013, PHP 5.4.16 - Core: - . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry) + . Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, + CVE 2013-2110). (Stas) + . Fixed bug #64853 (Use of no longer available ini directives causes crash on + TS build). (Anatol) . Fixed bug #64729 (compilation failure on x32). (Gustavo) + . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry) . Fixed bug #64660 (Segfault on memory exhaustion within function definition). (Stas, reported by Juha Kylmänen) - . Fixed bug #64853 (Use of no longer available ini directives causes crash on - TS build). (Anatol) - Calendar: . Fixed bug #64895 (Integer overflow in SndToJewish). (Remi) diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c index 28dcc63f13..0df127362f 100644 --- a/ext/standard/quot_print.c +++ b/ext/standard/quot_print.c @@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len unsigned char c, *ret, *d; char *hex = "0123456789ABCDEF"; - ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0); + ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1); d = ret; while (length--) { @@ -286,4 +286,4 @@ PHP_FUNCTION(quoted_printable_encode) * End: * vim600: sw=4 ts=4 fdm=marker * vim<600: sw=4 ts=4 - */
\ No newline at end of file + */ diff --git a/ext/standard/tests/strings/bug64879.phpt b/ext/standard/tests/strings/bug64879.phpt new file mode 100644 index 0000000000..1df90c6d85 --- /dev/null +++ b/ext/standard/tests/strings/bug64879.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110) +--FILE-- +<?php + +quoted_printable_encode(str_repeat("\xf4", 1000)); +quoted_printable_encode(str_repeat("\xf4", 100000)); + +echo "Done\n"; +?> +--EXPECTF-- +Done |