Bug #49687 [Asn->Csd]: utf8_decode xml_utf8_decode vuln

Wed, 27 Oct 2010 11:23:16 -0700 

Edit report at http://bugs.php.net/bug.php?id=49687&edit=1

 ID:                 49687
 Updated by:         cataphr...@php.net
 Reported by:        sird at rckc dot at
 Summary:            utf8_decode xml_utf8_decode vuln
-Status:             Assigned
+Status:             Closed
 Type:               Bug
 Package:            *Unicode Issues
 Operating System:   *
 PHP Version:        5.2.11
 Assigned To:        cataphract
 Block user comment: N



Previous Comments:
------------------------------------------------------------------------
[2010-10-27 20:13:36] cataphr...@php.net

Fixed for PHP 5.3 and trunk.

------------------------------------------------------------------------
[2010-10-27 20:13:26] cataphr...@php.net

Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&revision=304959
Log: - Fixed bug #49687 (utf8_decode vulnerabilities and deficiencies in
the number
  of reported malformed sequences). (Gustavo)
#Made a public interface for get_next_char/utf-8 in trunk to use in
utf8_decode.
#In PHP 5.3, trunk's get_next_char was copied to xml.c because 5.3's
#get_next_char is different and is not prepared to recover appropriately
from
#errors.

------------------------------------------------------------------------
[2009-10-16 04:53:00] sird at rckc dot at

My last post, I promise..



it should say:

        c = ((s[0]&63)<<6) | (s[1]&63);



Greetz!

------------------------------------------------------------------------
[2009-10-16 04:52:21] sird at rckc dot at

Oh, duh! I'm reading the wrong function.. :( Sorry



                        if(pos-2 >= 0 || s[1]&0xC0!=0x80) {

                                c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | 
((s[2]&63)<<6) | (s[3]&63);

                        } else {

                                c = '?';        

                        }

------------------------------------------------------------------------
[2009-10-16 04:45:25] sird at rckc dot at

oh, my mistake:

                else if (c < 0x800) {

                        newbuf[(*newlen)++] = (0xc0 | (c >> 6));

                        newbuf[(*newlen)++] = (0x80 | (c & 0x3f));

                }



should be:



                else if (c < 0x800) {

                        if ( (s[1]&0xC0!=0x80) ){

                            newbuf[(*newlen)++] = '?';

                        }else{

                            newbuf[(*newlen)++] = (0xc0 | (c >> 6));

                            newbuf[(*newlen)++] = (0x80 | (c & 0x3f));

                        }

                }

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=49687


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=49687&edit=1

Reply via email to