diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-07-12 22:37:36 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-07-12 22:37:36 -0700 |
| commit | aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 (patch) | |
| tree | 729305c9f8c6953c65874ecb8b39ae640b5ae474 | |
| parent | 81406c0c1d45f75fcc7972ed974d2597abb0b9e9 (diff) | |
| download | php-git-aa82e99ed8003c01f1ef4f0940e56b85c5b032d4.tar.gz | |
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
| -rw-r--r-- | ext/intl/locale/locale_methods.c | 18 | ||||
| -rw-r--r-- | ext/intl/tests/bug72533.phpt | 30 |
2 files changed, 48 insertions, 0 deletions
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 31f60b39a4..443856ff5e 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -1591,6 +1591,24 @@ PHP_FUNCTION(locale_accept_from_http) "locale_accept_from_http: unable to parse input parameters", 0 TSRMLS_CC ); RETURN_FALSE; } + if(http_accept_len > ULOC_FULLNAME_CAPACITY) { + /* check each fragment, if any bigger than capacity, can't do it due to bug #72533 */ + char *start = http_accept; + char *end; + size_t len; + do { + end = strchr(start, ','); + len = end ? end-start : http_accept_len-(start-http_accept); + if(len > ULOC_FULLNAME_CAPACITY) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, + "locale_accept_from_http: locale string too long", 0 TSRMLS_CC ); + RETURN_FALSE; + } + if(end) { + start = end+1; + } + } while(end != NULL); + } available = ures_openAvailableLocales(NULL, &status); INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list"); diff --git a/ext/intl/tests/bug72533.phpt b/ext/intl/tests/bug72533.phpt new file mode 100644 index 0000000000..c7fcba39d0 --- /dev/null +++ b/ext/intl/tests/bug72533.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #72533 (locale_accept_from_http out-of-bounds access) +--SKIPIF-- +<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?> +--FILE-- +<?php + +function ut_main() +{ + $ret = var_export(ut_loc_accept_http(str_repeat('x', 256)), true); + $ret .= "\n"; + if(intl_is_failure(intl_get_error_code())) { + $ret .= var_export(intl_get_error_message(), true); + } + $ret .= "\n"; + $ret .= var_export(ut_loc_accept_http(str_repeat('en,', 256)), true); + $ret .= "\n"; + if(intl_is_failure(intl_get_error_code())) { + $ret .= var_export(intl_get_error_message(), true); + } + return $ret; +} + +include_once( 'ut_common.inc' ); +ut_run(); +?> +--EXPECTF-- +false +'locale_accept_from_http: locale string too long: U_ILLEGAL_ARGUMENT_ERROR' +'en'
\ No newline at end of file |