-
-
Save anonymous/8986d33e2df4ad5b919f21cb7270a7e6 to your computer and use it in GitHub Desktop.
Patch for 72533
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Tue Jul 12 22:37:36 2016 -0700 | |
Fix bug #72533 (locale_accept_from_http out-of-bounds access) | |
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c | |
index 31f60b3..443856f 100644 | |
--- a/ext/intl/locale/locale_methods.c | |
+++ b/ext/intl/locale/locale_methods.c | |
@@ -1591,6 +1591,24 @@ PHP_FUNCTION(locale_accept_from_http) | |
"locale_accept_from_http: unable to parse input parameters", 0 TSRMLS_CC ); | |
RETURN_FALSE; | |
} | |
+ if(http_accept_len > ULOC_FULLNAME_CAPACITY) { | |
+ /* check each fragment, if any bigger than capacity, can't do it due to bug #72533 */ | |
+ char *start = http_accept; | |
+ char *end; | |
+ size_t len; | |
+ do { | |
+ end = strchr(start, ','); | |
+ len = end ? end-start : http_accept_len-(start-http_accept); | |
+ if(len > ULOC_FULLNAME_CAPACITY) { | |
+ intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, | |
+ "locale_accept_from_http: locale string too long", 0 TSRMLS_CC ); | |
+ RETURN_FALSE; | |
+ } | |
+ if(end) { | |
+ start = end+1; | |
+ } | |
+ } while(end != NULL); | |
+ } | |
available = ures_openAvailableLocales(NULL, &status); | |
INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list"); | |
diff --git a/ext/intl/tests/bug72533.phpt b/ext/intl/tests/bug72533.phpt | |
new file mode 100644 | |
index 0000000..c7fcba3 | |
--- /dev/null | |
+++ b/ext/intl/tests/bug72533.phpt | |
@@ -0,0 +1,30 @@ | |
+--TEST-- | |
+Bug #72533 (locale_accept_from_http out-of-bounds access) | |
+--SKIPIF-- | |
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?> | |
+--FILE-- | |
+<?php | |
+ | |
+function ut_main() | |
+{ | |
+ $ret = var_export(ut_loc_accept_http(str_repeat('x', 256)), true); | |
+ $ret .= "\n"; | |
+ if(intl_is_failure(intl_get_error_code())) { | |
+ $ret .= var_export(intl_get_error_message(), true); | |
+ } | |
+ $ret .= "\n"; | |
+ $ret .= var_export(ut_loc_accept_http(str_repeat('en,', 256)), true); | |
+ $ret .= "\n"; | |
+ if(intl_is_failure(intl_get_error_code())) { | |
+ $ret .= var_export(intl_get_error_message(), true); | |
+ } | |
+ return $ret; | |
+} | |
+ | |
+include_once( 'ut_common.inc' ); | |
+ut_run(); | |
+?> | |
+--EXPECTF-- | |
+false | |
+'locale_accept_from_http: locale string too long: U_ILLEGAL_ARGUMENT_ERROR' | |
+'en' | |
\ No newline at end of file |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment