moriyoshi Tue, 09 Nov 2010 03:23:04 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=305214
Log: - Fix bug #53273 (mb_strcut() returns garbage with the excessive length parameter). Bug: http://bugs.php.net/53273 (Open) mb_strcut() returns garbage with the excessive length parameter Changed paths: A php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c A php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt U php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c A php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt Added: php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt =================================================================== --- php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt (rev 0) +++ php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt 2010-11-09 03:23:04 UTC (rev 305214) @@ -0,0 +1,62 @@ +--TEST-- +mb_strcut() missing boundary check. +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is not available in this build"); +?> +--FILE-- +<?php +mb_internal_encoding("UCS-4LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 0, 32))); +mb_internal_encoding("UCS-4BE"); +var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 0, 32))); +mb_internal_encoding("UCS-2LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32))); +mb_internal_encoding("UCS-2BE"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-16"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-8"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +mb_internal_encoding("ISO-8859-1"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +--EXPECT-- +string(24) "610000006200000063000000" +string(24) "000000610000006200000063" +string(12) "610062006300" +string(12) "006100620063" +string(12) "006100620063" +string(6) "616263" +string(6) "616263" +--TEST-- +mb_strcut() missing boundary check. +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is not available in this build"); +?> +--FILE-- +<?php +mb_internal_encoding("UCS-4LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 0, 32))); +mb_internal_encoding("UCS-4BE"); +var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 0, 32))); +mb_internal_encoding("UCS-2LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32))); +mb_internal_encoding("UCS-2BE"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-16"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-8"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +mb_internal_encoding("ISO-8859-1"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +--EXPECT-- +string(24) "610000006200000063000000" +string(24) "000000610000006200000063" +string(12) "610062006300" +string(12) "006100620063" +string(12) "006100620063" +string(6) "616263" +string(6) "616263" Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-11-09 00:56:00 UTC (rev 305213) +++ php/php-src/branches/PHP_5_3/NEWS 2010-11-09 03:23:04 UTC (rev 305214) @@ -55,6 +55,7 @@ - Fixed the filter extension accepting IPv4 octets with a leading 0 as that belongs to the unsupported "dotted octal" representation. (Gustavo) +- Fixed bug #53273 (mb_strcut() returns garbage with the excessive length parameter). (CVE-2010-4156) (Mateusz Kocielski, Pierre, Moriyoshi) - Fixed bug #53248 (rawurlencode RFC 3986 EBCDIC support misses tilde char). (Justin Martin) - Fixed bug #53241 (stream casting that relies on fdopen/fopencookie fails Modified: php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c 2010-11-09 00:56:00 UTC (rev 305213) +++ php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c 2010-11-09 03:23:04 UTC (rev 305214) @@ -1397,6 +1397,10 @@ start = string->val + from; end = start + (length & -4); } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { + if (from + length >= string->len) { + length = string->len - from; + } + start = string->val + from; end = start + length; } else if (encoding->mblen_table != NULL) { Added: php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt 2010-11-09 03:23:04 UTC (rev 305214) @@ -0,0 +1,31 @@ +--TEST-- +mb_strcut() missing boundary check. +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is not available in this build"); +?> +--FILE-- +<?php +mb_internal_encoding("UCS-4LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 0, 32))); +mb_internal_encoding("UCS-4BE"); +var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 0, 32))); +mb_internal_encoding("UCS-2LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32))); +mb_internal_encoding("UCS-2BE"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-16"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-8"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +mb_internal_encoding("ISO-8859-1"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +--EXPECT-- +string(24) "610000006200000063000000" +string(24) "000000610000006200000063" +string(12) "610062006300" +string(12) "006100620063" +string(12) "006100620063" +string(6) "616263" +string(6) "616263" Modified: php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c =================================================================== --- php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c 2010-11-09 00:56:00 UTC (rev 305213) +++ php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c 2010-11-09 03:23:04 UTC (rev 305214) @@ -1397,6 +1397,10 @@ start = string->val + from; end = start + (length & -4); } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) { + if (from + length >= string->len) { + length = string->len - from; + } + start = string->val + from; end = start + length; } else if (encoding->mblen_table != NULL) { Added: php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt =================================================================== --- php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt (rev 0) +++ php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt 2010-11-09 03:23:04 UTC (rev 305214) @@ -0,0 +1,31 @@ +--TEST-- +mb_strcut() missing boundary check. +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is not available in this build"); +?> +--FILE-- +<?php +mb_internal_encoding("UCS-4LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 0, 32))); +mb_internal_encoding("UCS-4BE"); +var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 0, 32))); +mb_internal_encoding("UCS-2LE"); +var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32))); +mb_internal_encoding("UCS-2BE"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-16"); +var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32))); +mb_internal_encoding("UTF-8"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +mb_internal_encoding("ISO-8859-1"); +var_dump(bin2hex(mb_strcut("abc", 0, 32))); +--EXPECT-- +string(24) "610000006200000063000000" +string(24) "000000610000006200000063" +string(12) "610062006300" +string(12) "006100620063" +string(12) "006100620063" +string(6) "616263" +string(6) "616263"
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php