diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2018-06-28 23:06:08 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2018-06-28 23:06:08 +0200 |
| commit | a7101415cb19ec01aacaa0ababb88d02c6a1631d (patch) | |
| tree | 309f7326e1706d5310e68b64423c372fbfbe4ec5 | |
| parent | db7ead0768076da486a9c98264061113233deb7f (diff) | |
| parent | 00c0d7702ce92ed132ad7234ca63bdec28e56421 (diff) | |
| download | php-git-a7101415cb19ec01aacaa0ababb88d02c6a1631d.tar.gz | |
Merge branch 'PHP-7.2'
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/mbstring/libmbfl/mbfl/mbfilter.c | 2 | ||||
| -rw-r--r-- | ext/mbstring/libmbfl/mbfl/mbfilter.h | 7 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug76532.phpt | 12 |
4 files changed, 24 insertions, 1 deletions
@@ -21,6 +21,10 @@ PHP NEWS . Fixed bug #73342 (Vulnerability in php-fpm by changing stdin to non-blocking). (Nikita) +- mbstring: + . Fixed bug #76532 (Integer overflow and excessive memory usage + in mb_strimwidth). (MarcusSchwarz) + - PCRE: . Fixed bug #76512 (\w no longer includes unicode characters). (cmb) . Fixed bug #76514 (Regression in preg_match makes it fail with diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c index 94ecc57491..48dbc75920 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.c +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c @@ -1687,7 +1687,7 @@ mbfl_strimwidth( mbfl_string_init(result); result->no_language = string->no_language; result->encoding = string->encoding; - mbfl_memory_device_init(&pc.device, width, 0); + mbfl_memory_device_init(&pc.device, MIN(string->len, width), 0); /* output code filter */ pc.decoder = mbfl_convert_filter_new( diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.h b/ext/mbstring/libmbfl/mbfl/mbfilter.h index bbf1b70e9d..a6aed129fa 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfilter.h +++ b/ext/mbstring/libmbfl/mbfl/mbfilter.h @@ -125,6 +125,13 @@ #define MBFL_OUTPUTFILTER_ILLEGAL_MODE_ENTITY 3 /* + * convenience macros + */ +#ifndef MIN +#define MIN(a,b) ((a)<(b)?(a):(b)) +#endif + +/* * buffering converter */ typedef struct _mbfl_buffer_converter mbfl_buffer_converter; diff --git a/ext/mbstring/tests/bug76532.phpt b/ext/mbstring/tests/bug76532.phpt new file mode 100644 index 0000000000..e61e403dbf --- /dev/null +++ b/ext/mbstring/tests/bug76532.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #76532 (Integer overflow and excessive memory usage in mb_strimwidth) +--SKIPIF-- +<?php require 'skipif.inc'; ?> +--FILE-- +<?php +$string_to_trim = '得很幸福。有一天,一个长得很丑的老人带着一只木马来到王'; +$width = 2147483647; +var_dump(mb_strimwidth($string_to_trim, 0, $width)); +?> +--EXPECT-- +string(81) "得很幸福。有一天,一个长得很丑的老人带着一只木马来到王"
\ No newline at end of file |