Merge branch 'PHP-5.3' into PHP-5.4

* PHP-5.3: fix CVE-2013-2110 - use correct formula to calculate string size
13 years ago · efdeec3c0e
3 changed files with 19 additions and 5 deletions
--- a/8
+++ b/8
@ -20,12 +20,14 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.4.16

 - Core:
-  . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry)
+  . Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode,
+    CVE 2013-2110). (Stas)
+  . Fixed bug #64853 (Use of no longer available ini directives causes crash on
+    TS build). (Anatol)
  . Fixed bug #64729 (compilation failure on x32). (Gustavo)
+  . Fixed bug #64720 (SegFault on zend_deactivate). (Dmitry)
  . Fixed bug #64660 (Segfault on memory exhaustion within function definition).
    (Stas, reported by Juha Kylmänen)
-  . Fixed bug #64853 (Use of no longer available ini directives causes crash on
-    TS build). (Anatol)

 - Calendar:
  . Fixed bug #64895 (Integer overflow in SndToJewish). (Remi)
--- a/ext/standard/quot_print.c
+++ b/ext/standard/quot_print.c
@ -151,7 +151,7 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len
 	unsigned char c, *ret, *d;
 	char *hex = "0123456789ABCDEF";

-	ret = safe_emalloc(1, 3 * length + 3 * (((3 * length)/PHP_QPRINT_MAXL) + 1), 0);
+	ret = safe_emalloc(3, length + (((3 * length)/(PHP_QPRINT_MAXL-9)) + 1), 1);
 	d = ret;

 	while (length--) {
@ -286,4 +286,4 @@ PHP_FUNCTION(quoted_printable_encode)
 * End:
 * vim600: sw=4 ts=4 fdm=marker
 * vim<600: sw=4 ts=4
- */
+ */
--- a/ext/standard/tests/strings/bug64879.phpt
+++ b/ext/standard/tests/strings/bug64879.phpt
@ -0,0 +1,12 @@
+--TEST--
+Bug #64879: quoted_printable_encode() wrong size calculation (CVE-2013-2110)
+--FILE--
+<?php
+
+quoted_printable_encode(str_repeat("\xf4", 1000)); 
+quoted_printable_encode(str_repeat("\xf4", 100000)); 
+
+echo "Done\n";
+?>
+--EXPECTF--	
+Done