Commit: b595b775f771543a7d3d675e16179a5e13aff468 Author: Gustavo André dos Santos Lopes <cataphr...@php.net> Wed, 23 May 2012 12:44:44 +0200 Committer: Stanislav Malyshev <s...@php.net> Wed, 23 May 2012 18:25:27 -0500 Parents: 169c9ac0c59c4863131b66045cfa121db7ad66cd Branches: PHP-5.4.4
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=b595b775f771543a7d3d675e16179a5e13aff468 Log: Fixed bug #62082 This was a buffer overflow in internal function get_icu_disp_value_src_php(). Bugs: https://bugs.php.net/62082 Changed paths: M ext/intl/locale/locale_methods.c A ext/intl/tests/bug62082.phpt Diff: diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 39d162a..1707c69 100755 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -527,7 +527,7 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME /* Get the disp_value for the given locale */ do{ - disp_name = erealloc( disp_name , buflen ); + disp_name = erealloc( disp_name , buflen * sizeof(UChar) ); disp_name_len = buflen; if( strcmp(tag_name , LOC_LANG_TAG)==0 ){ @@ -542,6 +542,7 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME buflen = uloc_getDisplayName ( mod_loc_name , disp_loc_name , disp_name , disp_name_len , &status); } + /* U_STRING_NOT_TERMINATED_WARNING is admissible here; don't look for it */ if( U_FAILURE( status ) ) { if( status == U_BUFFER_OVERFLOW_ERROR ) @@ -1562,11 +1563,11 @@ PHP_FUNCTION(locale_lookup) /* }}} */ /* {{{ proto string Locale::acceptFromHttp(string $http_accept) -* Tries to find out best available locale based on HTTP �Accept-Language� header +* Tries to find out best available locale based on HTTP �Accept-Language� header */ /* }}} */ /* {{{ proto string locale_accept_from_http(string $http_accept) -* Tries to find out best available locale based on HTTP �Accept-Language� header +* Tries to find out best available locale based on HTTP �Accept-Language� header */ PHP_FUNCTION(locale_accept_from_http) { diff --git a/ext/intl/tests/bug62082.phpt b/ext/intl/tests/bug62082.phpt new file mode 100644 index 0000000..e6ca73e --- /dev/null +++ b/ext/intl/tests/bug62082.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #62082: Memory corruption in internal get_icu_disp_value_src_php() +--SKIPIF-- +<?php +if (!extension_loaded('intl')) + die('skip intl extension not enabled'); +--FILE-- +<?php +var_dump(locale_get_display_name(str_repeat("a", 300), null)); +var_dump(locale_get_display_name(str_repeat("a", 512), null)); +var_dump(locale_get_display_name(str_repeat("a", 600), null)); +--EXPECT-- +string(300) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +string(512) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +string(600) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
