Commit: 93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 Author: Stanislav Malyshev <s...@php.net> Mon, 20 May 2013 00:43:29 -0700 Parents: 2463e8979470a8e61b17c28ae8f8f1dad63f856f Branches: PHP-5.3 PHP-5.4 PHP-5.5
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=93e0d78ec655f59ebfa82b2c6f8486c43651c1d0 Log: fix CVE-2013-2110 - use correct formula to calculate string size Changed paths: M NEWS M ext/standard/quot_print.c A ext/standard/tests/strings/bug64879.phpt Diff: diff --git a/NEWS b/NEWS index a1fbbcd..60a4035 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,10 @@ PHP NEWS ### DO NOT ADD ENTRIES HERE, ADD THEM ABOVE FOR 5.3.27 ### +- Core: + . Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, + CVE 2013-2110). (Stas) + - Calendar: . Fixed bug #64895 (Integer overflow in SndToJewish). (Remi) diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c index 280b86a..6627858 100644 --- a/ext/standard/quot_print.c +++ b/ext/standard/quot_print.c @@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len unsigned char c, *ret, *d; char *hex = "0123456789ABCDEF"; - ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0); + ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1); d = ret; while (length--) { diff --git a/ext/standard/tests/strings/bug64879.phpt b/ext/standard/tests/strings/bug64879.phpt new file mode 100644 index 0000000..1df90c6 --- /dev/null +++ b/ext/standard/tests/strings/bug64879.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110) +--FILE-- +<?php + +quoted_printable_encode(str_repeat("\xf4", 1000)); +quoted_printable_encode(str_repeat("\xf4", 100000)); + +echo "Done\n"; +?> +--EXPECTF-- +Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
