ID: 50226 Updated by: [email protected] Reported By: yoarvi at gmail dot com -Status: Open +Status: Closed Bug Type: *Unicode Issues Operating System: Solaris 5.10 (SPARC) PHP Version: 6SVN-2009-11-19 (SVN) New Comment:
This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2009-11-24 11:08:18] [email protected] Automatic comment from SVN on behalf of kalle Revision: http://svn.php.net/viewvc/?view=revision&revision=291259 Log: Fixed #50226 (Insufficient memory allocation for unicode string) - Patch by yoarvi at gmail dot com ------------------------------------------------------------------------ [2009-11-19 10:03:18] yoarvi at gmail dot com Description: ------------ ext/standard/string.c:3460 allocates only 1 extra byte for the terminating null str.u = safe_emalloc(2, UBYTES(old_len), 1); but then assigns a null at line 3482 using *q.u = 0; which writes 2 bytes. The following patch fixes the problem: Index: ext/standard/string.c =================================================================== --- ext/standard/string.c (revision 290968) +++ ext/standard/string.c (working copy) @@ -3457,7 +3457,7 @@ if (type == IS_UNICODE) { old_end.u = old.u + old_len; - str.u = safe_emalloc(2, UBYTES(old_len), 1); + str.u = safe_emalloc(2, UBYTES(old_len), UBYTES(1)); for (p.u = old.u, q.u = str.u; p.u != old_end.u; p.u++) { cp = *p.u; Reproduce code: --------------- ./configure --enable-debug % sapi/cli/php ext/standard/tests/strings/quotemeta_basic.php Expected result: ---------------- *** Testing quotemeta() : basic functionality *** unicode(20) "Hello how are you \?" unicode(19) "\(100 \+ 50\) \* 10" unicode(20) "\\\+\*\?\[\^\]\(\$\)" Actual result: -------------- *** Testing quotemeta() : basic functionality *** unicode(20) "Hello how are you \?" unicode(19) "\(100 \+ 50\) \* 10" [Thu Nov 19 15:35:30 2009] Script: 'ext/standard/tests/strings/quotemeta_basic.php' --------------------------------------- /home/arvi/php-trunk/ext/standard/string.c(3483) : Block 0x0969aed4 status: Beginning: OK (allocated on /home/arvi/php-trunk/ext/standard/string.c:3460, 41 bytes) Start: OK End: Overflown (magic=0x00000000 instead of 0x2C8088DB) 1 byte(s) overflown --------------------------------------- unicode(20) "" [Thu Nov 19 15:35:30 2009] Script: 'ext/standard/tests/strings/quotemeta_basic.php' /home/arvi/php-trunk/ext/standard/string.c(3460) : Freeing 0x0969AED4 (41 bytes), script=ext/standard/tests/strings/quotemeta_basic.php /home/arvi/php-trunk/Zend/zend_alloc.c(2446) : Actual location (location was relayed) === Total 1 memory leaks detected === ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=50226&edit=1
