mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
fix CVE-2013-2110 - use correct formula to calculate string size
This commit is contained in:
parent
2463e89794
commit
93e0d78ec6
4
NEWS
4
NEWS
@ -18,6 +18,10 @@ PHP NEWS
|
||||
|
||||
### DO NOT ADD ENTRIES HERE, ADD THEM ABOVE FOR 5.3.27 ###
|
||||
|
||||
- Core:
|
||||
. Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode,
|
||||
CVE 2013-2110). (Stas)
|
||||
|
||||
- Calendar:
|
||||
. Fixed bug #64895 (Integer overflow in SndToJewish). (Remi)
|
||||
|
||||
|
@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len
|
||||
unsigned char c, *ret, *d;
|
||||
char *hex = "0123456789ABCDEF";
|
||||
|
||||
ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);
|
||||
ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1);
|
||||
d = ret;
|
||||
|
||||
while (length--) {
|
||||
|
12
ext/standard/tests/strings/bug64879.phpt
Normal file
12
ext/standard/tests/strings/bug64879.phpt
Normal file
@ -0,0 +1,12 @@
|
||||
--TEST--
|
||||
Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110)
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
quoted_printable_encode(str_repeat("\xf4", 1000));
|
||||
quoted_printable_encode(str_repeat("\xf4", 100000));
|
||||
|
||||
echo "Done\n";
|
||||
?>
|
||||
--EXPECTF--
|
||||
Done
|
Loading…
Reference in New Issue
Block a user