moriyoshi                                Tue, 09 Nov 2010 03:23:04 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=305214

Log:
- Fix bug #53273 (mb_strcut() returns garbage with the excessive length 
parameter).

Bug: http://bugs.php.net/53273 (Open) mb_strcut() returns garbage with the 
excessive length parameter
      
Changed paths:
    A   
php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c
    A   
php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
    U   php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c
    A   
php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt

Added: 
php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
===================================================================
--- 
php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
                               (rev 0)
+++ 
php/php-src/branches/PHP_5_2/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
       2010-11-09 03:23:04 UTC (rev 305214)
@@ -0,0 +1,62 @@
+--TEST--
+mb_strcut() missing boundary check.
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is 
not available in this build");
+?>
+--FILE--
+<?php
+mb_internal_encoding("UCS-4LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 
0, 32)));
+mb_internal_encoding("UCS-4BE");
+var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 
0, 32)));
+mb_internal_encoding("UCS-2LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32)));
+mb_internal_encoding("UCS-2BE");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-16");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-8");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+mb_internal_encoding("ISO-8859-1");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+--EXPECT--
+string(24) "610000006200000063000000"
+string(24) "000000610000006200000063"
+string(12) "610062006300"
+string(12) "006100620063"
+string(12) "006100620063"
+string(6) "616263"
+string(6) "616263"
+--TEST--
+mb_strcut() missing boundary check.
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is 
not available in this build");
+?>
+--FILE--
+<?php
+mb_internal_encoding("UCS-4LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 
0, 32)));
+mb_internal_encoding("UCS-4BE");
+var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 
0, 32)));
+mb_internal_encoding("UCS-2LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32)));
+mb_internal_encoding("UCS-2BE");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-16");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-8");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+mb_internal_encoding("ISO-8859-1");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+--EXPECT--
+string(24) "610000006200000063000000"
+string(24) "000000610000006200000063"
+string(12) "610062006300"
+string(12) "006100620063"
+string(12) "006100620063"
+string(6) "616263"
+string(6) "616263"

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-11-09 00:56:00 UTC (rev 305213)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-11-09 03:23:04 UTC (rev 305214)
@@ -55,6 +55,7 @@
 - Fixed the filter extension accepting IPv4 octets with a leading 0 as that
   belongs to the unsupported "dotted octal" representation. (Gustavo)

+- Fixed bug #53273 (mb_strcut() returns garbage with the excessive length 
parameter). (CVE-2010-4156) (Mateusz Kocielski, Pierre, Moriyoshi)
 - Fixed bug #53248 (rawurlencode RFC 3986 EBCDIC support misses tilde char).
   (Justin Martin)
 - Fixed bug #53241 (stream casting that relies on fdopen/fopencookie fails

Modified: php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c   
2010-11-09 00:56:00 UTC (rev 305213)
+++ php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c   
2010-11-09 03:23:04 UTC (rev 305214)
@@ -1397,6 +1397,10 @@
                        start = string->val + from;
                        end   = start + (length & -4);
                } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) {
+                       if (from + length >= string->len) {
+                               length = string->len - from;
+                       }
+
                        start = string->val + from;
                        end = start + length;
                } else if (encoding->mblen_table != NULL) {

Added: 
php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
===================================================================
--- 
php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
                               (rev 0)
+++ 
php/php-src/branches/PHP_5_3/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
       2010-11-09 03:23:04 UTC (rev 305214)
@@ -0,0 +1,31 @@
+--TEST--
+mb_strcut() missing boundary check.
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is 
not available in this build");
+?>
+--FILE--
+<?php
+mb_internal_encoding("UCS-4LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 
0, 32)));
+mb_internal_encoding("UCS-4BE");
+var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 
0, 32)));
+mb_internal_encoding("UCS-2LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32)));
+mb_internal_encoding("UCS-2BE");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-16");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-8");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+mb_internal_encoding("ISO-8859-1");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+--EXPECT--
+string(24) "610000006200000063000000"
+string(24) "000000610000006200000063"
+string(12) "610062006300"
+string(12) "006100620063"
+string(12) "006100620063"
+string(6) "616263"
+string(6) "616263"

Modified: php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c
===================================================================
--- php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c      2010-11-09 
00:56:00 UTC (rev 305213)
+++ php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c      2010-11-09 
03:23:04 UTC (rev 305214)
@@ -1397,6 +1397,10 @@
                        start = string->val + from;
                        end   = start + (length & -4);
                } else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) {
+                       if (from + length >= string->len) {
+                               length = string->len - from;
+                       }
+
                        start = string->val + from;
                        end = start + length;
                } else if (encoding->mblen_table != NULL) {

Added: 
php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt
===================================================================
--- php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt  
                        (rev 0)
+++ php/php-src/trunk/ext/mbstring/tests/mb_strcut_missing_boundary_check.phpt  
2010-11-09 03:23:04 UTC (rev 305214)
@@ -0,0 +1,31 @@
+--TEST--
+mb_strcut() missing boundary check.
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+function_exists('mb_convert_encoding') or die("skip mb_convert_encoding() is 
not available in this build");
+?>
+--FILE--
+<?php
+mb_internal_encoding("UCS-4LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x00\x00\x62\x00\x00\x00\x63\x00\x00\x00", 
0, 32)));
+mb_internal_encoding("UCS-4BE");
+var_dump(bin2hex(mb_strcut("\x00\x00\x00\x61\x00\x00\x00\x62\x00\x00\x00\x63", 
0, 32)));
+mb_internal_encoding("UCS-2LE");
+var_dump(bin2hex(mb_strcut("\x61\x00\x62\x00\x63\x00", 0, 32)));
+mb_internal_encoding("UCS-2BE");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-16");
+var_dump(bin2hex(mb_strcut("\x00\x61\x00\x62\x00\x63", 0, 32)));
+mb_internal_encoding("UTF-8");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+mb_internal_encoding("ISO-8859-1");
+var_dump(bin2hex(mb_strcut("abc", 0, 32)));
+--EXPECT--
+string(24) "610000006200000063000000"
+string(24) "000000610000006200000063"
+string(12) "610062006300"
+string(12) "006100620063"
+string(12) "006100620063"
+string(6) "616263"
+string(6) "616263"

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to