From: Operating system: Windows PHP version: trunk-SVN-2011-06-12 (SVN) Package: *Unicode Issues Bug Type: Bug Bug description:Erealloc in iconv.c unsafe
Description: ------------ iconv.c php_iconv_string does a potentially unsafe realloc if !ICONV_SUPPORTS_ERRNO (which I assume is mostly used on non *nix targets) The realloc (r306938 near line 515) in this code fragment might reallocate outbuffer to a new region, but out_p still points to the "old" buffer. The iconv() flush then might write to the old allocation via the old, overwriting already deallocated memory. If PHP internal realloc never reallocates to a new block, I'm wrong of course, but that might still be worthy of a comment. This bug was found while I stumbled on the PHP code as part of a search for errnoless iconv code. I've no further interest in PHP, I just noticed it and thought it was worthwhile to report. PHP viewvc url where I noticed the problem: http://svn.php.net/viewvc/php/php-src/trunk/ext/iconv/iconv.c?revision=306938&view=markup Test script: --------------- No example, problem found via code-review Expected result: ---------------- I'm no C hacker, but I'd expect the code to be something like if (out_left<8) {size_t some_int; some_int=out_p-out_buffer out_buffer = (char *) erealloc(out_buffer, out_size + 8); out_p=&out_buffer[some_int]; } -- Edit bug report at http://bugs.php.net/bug.php?id=55042&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=55042&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=55042&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=55042&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=55042&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=55042&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=55042&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=55042&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=55042&r=needscript Try newer version: http://bugs.php.net/fix.php?id=55042&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=55042&r=support Expected behavior: http://bugs.php.net/fix.php?id=55042&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=55042&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=55042&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=55042&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=55042&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=55042&r=dst IIS Stability: http://bugs.php.net/fix.php?id=55042&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=55042&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=55042&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=55042&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=55042&r=mysqlcfg
