[PHP-CVS] com php-src: fix CVE-2013-2110 - use correct formula to calculate string size: NEWS ext/standard/quot_print.c ext/standard/tests/strings/bug64879.phpt

Tue, 04 Jun 2013 22:01:59 -0700 

Commit:    f16f5770c2e832dec3ba891ad49def4d26cd780b
Author:    Stanislav Malyshev <s...@php.net>         Mon, 20 May 2013 00:43:29 
-0700
Parents:   d6c1fc97f4d73c130f443fe7e3d310d66e1529f0
Branches:  PHP-5.4.16

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=f16f5770c2e832dec3ba891ad49def4d26cd780b

Log:
fix CVE-2013-2110 - use correct formula to calculate string size

Changed paths:
  M  NEWS
  M  ext/standard/quot_print.c
  A  ext/standard/tests/strings/bug64879.phpt


Diff:
diff --git a/NEWS b/NEWS
index b42dea0..78075f8 100644
--- a/NEWS
+++ b/NEWS
@@ -3,12 +3,14 @@ PHP                                                           
             NEWS
 23 May 2013, PHP 5.4.16 RC1
 
 - Core:
-  . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry)
+  . Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode, 
+    CVE 2013-2110). (Stas)
+  . Fixed bug #64853 (Use of no longer available ini directives causes crash on
+    TS build). (Anatol)
   . Fixed bug #64729 (compilation failure on x32). (Gustavo)
+  . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry)
   . Fixed bug #64660 (Segfault on memory exhaustion within function 
definition).
     (Stas, reported by Juha Kylmänen)
-  . Fixed bug #64853 (Use of no longer available ini directives causes crash on
-    TS build). (Anatol)
 
 - Calendar:
   . Fixed bug #64895 (Integer overflow in SndToJewish). (Remi)
diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c
index 28dcc63..0df1273 100644
--- a/ext/standard/quot_print.c
+++ b/ext/standard/quot_print.c
@@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned 
char *str, size_t len
        unsigned char c, *ret, *d;
        char *hex = "0123456789ABCDEF";
 
-       ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) 
+ 1), 0);
+       ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 
1), 1);
        d = ret;
 
        while (length--) {
@@ -286,4 +286,4 @@ PHP_FUNCTION(quoted_printable_encode)
  * End:
  * vim600: sw=4 ts=4 fdm=marker
  * vim<600: sw=4 ts=4
- */
\ No newline at end of file
+ */
diff --git a/ext/standard/tests/strings/bug64879.phpt 
b/ext/standard/tests/strings/bug64879.phpt
new file mode 100644
index 0000000..1df90c6
--- /dev/null
+++ b/ext/standard/tests/strings/bug64879.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110)
+--FILE--
+<?php
+
+quoted_printable_encode(str_repeat("\xf4", 1000)); 
+quoted_printable_encode(str_repeat("\xf4", 100000)); 
+
+echo "Done\n";
+?>
+--EXPECTF--    
+Done


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to