aharvey Thu, 30 Sep 2010 02:35:37 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=303885
Log: MFH: Fix for bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data). Bug: http://bugs.php.net/52929 (Closed) Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c A + php/php-src/branches/PHP_5_2/ext/filter/tests/bug52929.phpt (from php/php-src/trunk/ext/filter/tests/bug52929.phpt:r303779) Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-09-30 00:59:26 UTC (rev 303884) +++ php/php-src/branches/PHP_5_2/NEWS 2010-09-30 02:35:37 UTC (rev 303885) @@ -4,6 +4,8 @@ - Fixed possible flaw in open_basedir (CVE-2010-3436). (Pierre) - Fixed possible crash in mssql_fetch_batch(). (Kalle) +- Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with + large amount of data). (Adam) - Fixed bug #52772 (var_dump() doesn't check for the existence of get_class_name before calling it). (Kalle, Gustavo) - Fixed bug #52546 (pdo_dblib segmentation fault when iterating MONEY values). Modified: php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c 2010-09-30 00:59:26 UTC (rev 303884) +++ php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c 2010-09-30 02:35:37 UTC (rev 303885) @@ -531,6 +531,11 @@ int matches; + /* The maximum length of an e-mail address is 320 octets, per RFC 2821. */ + if (Z_STRLEN_P(value) > 320) { + RETURN_VALIDATION_FAILED + } + re = pcre_get_compiled_regex((char *)regexp, &pcre_extra, &preg_options TSRMLS_CC); if (!re) { RETURN_VALIDATION_FAILED Copied: php/php-src/branches/PHP_5_2/ext/filter/tests/bug52929.phpt (from rev 303779, php/php-src/trunk/ext/filter/tests/bug52929.phpt) =================================================================== --- php/php-src/branches/PHP_5_2/ext/filter/tests/bug52929.phpt (rev 0) +++ php/php-src/branches/PHP_5_2/ext/filter/tests/bug52929.phpt 2010-09-30 02:35:37 UTC (rev 303885) @@ -0,0 +1,18 @@ +--TEST-- +Bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) +--SKIPIF-- +<?php if (!extension_loaded("filter")) die("skip"); ?> +--FILE-- +<?php +var_dump(filter_var('va...@email.address', FILTER_VALIDATE_EMAIL)); + +// Beyond the allowable limit for an e-mail address. +var_dump(filter_var('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...@yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.zz', FILTER_VALIDATE_EMAIL)); + +// An invalid address likely to crash PHP due to stack exhaustion if it goes to +// the validation regex. +var_dump(filter_var(str_repeat('x', 8000), FILTER_VALIDATE_EMAIL)); +--EXPECT-- +string(19) "va...@email.address" +bool(false) +bool(false)
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php