Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))

12 years ago · a6b7fdeb2d
2 changed files with 30 additions and 1 deletions
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@ -497,8 +497,16 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME
 		RETURN_FALSE;
 	}

+    if(loc_name_len > ULOC_FULLNAME_CAPACITY) {
+        /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */
+		spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name );
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,  msg , 1 TSRMLS_CC );
+		efree(msg);
+		RETURN_FALSE;
+    }
+
 	if(loc_name_len == 0) {
-		loc_name = intl_locale_get_default(TSRMLS_C);
+		loc_name = INTL_G(default_locale);
 	}

 	if( strcmp(tag_name, DISP_NAME) != 0 ){
--- a/ext/intl/tests/bug67397.phpt
+++ b/ext/intl/tests/bug67397.phpt
@ -0,0 +1,21 @@
+--TEST--
+Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+    $ret = var_export(ut_loc_get_display_name(str_repeat('*', 256), 'en_us'), true);
+    $ret .= "\n";
+    $ret .= var_export(intl_get_error_message(), true);
+    return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR'