Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PHP bug #79150
From 860ac0a204d6f5095c81d2f40f09745c90446099 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 21 Jan 2020 17:18:40 +0100
Subject: [PATCH] Fix #79150: memcpy-param-overlap caused by
zif_mb_convert_encoding
We must not assume that `hash_entry` `IS_STRING`, but rather use
`encoding_str` which is guaranteed to be.
---
ext/mbstring/mbstring.c | 6 +++---
ext/mbstring/tests/bug79150.phpt | 17 +++++++++++++++++
2 files changed, 20 insertions(+), 3 deletions(-)
create mode 100644 ext/mbstring/tests/bug79150.phpt
diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index a18d237df2..c0ba05cba3 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3369,12 +3369,12 @@ PHP_FUNCTION(mb_convert_encoding)
if ( _from_encodings) {
l = strlen(_from_encodings);
- n = strlen(Z_STRVAL_P(hash_entry));
+ n = strlen(ZSTR_VAL(encoding_str));
_from_encodings = erealloc(_from_encodings, l+n+2);
memcpy(_from_encodings + l, ",", 1);
- memcpy(_from_encodings + l + 1, Z_STRVAL_P(hash_entry), Z_STRLEN_P(hash_entry) + 1);
+ memcpy(_from_encodings + l + 1, ZSTR_VAL(encoding_str), ZSTR_LEN(encoding_str) + 1);
} else {
- _from_encodings = estrdup(Z_STRVAL_P(hash_entry));
+ _from_encodings = estrdup(ZSTR_VAL(encoding_str));
}
zend_string_release(encoding_str);
} ZEND_HASH_FOREACH_END();
diff --git a/ext/mbstring/tests/bug79150.phpt b/ext/mbstring/tests/bug79150.phpt
new file mode 100644
index 0000000000..25c06bd956
--- /dev/null
+++ b/ext/mbstring/tests/bug79150.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #79150 (memcpy-param-overlap caused by zif_mb_convert_encoding)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+?>
+--FILE--
+<?php
+var_dump(mb_convert_encoding('foo', 'UTF-8', array(['bar'], ['baz'])));
+?>
+--EXPECTF--
+Notice: Array to string conversion in %s on line %d
+
+Notice: Array to string conversion in %s on line %d
+
+Warning: mb_convert_encoding(): Illegal character encoding specified in %s on line %d
+string(3) "foo"
--
2.25.0.windows.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment