ID: 13413
Updated by: derick
Reported By: [EMAIL PROTECTED]
Old Status: Critical
Status: Assigned
Bug Type: Strings related
Operating System: Linux 2.4
PHP Version: 4.0.6
Old Assigned To:
Assigned To: derick
Previous Comments:
------------------------------------------------------------------------
[2001-09-24 06:23:21] [EMAIL PROTECTED]
If we pass a binary string which contains a byte with
an ASCII value of "0" to urlencode, then PHP will segfault.
This short script will demonstrate the problem. Notice
that I am using urldecode because I have no way
of printing an ascii value of 0.
<?
$initString = "%00an%3E";
$binaryString = urldecode($initString);
$encodedString = urlencode($binaryString);
?>
I believe the problem is in file ../ext/standard/url.c
and in function php_url_encode(). This function uses
allocates memory for the new string after determining
the length of the input string via strlen(). However, a
binary string could contain a byte with a value of zero,
thereby yielding a shorter string length and not enough
memory allocated.
I'll also include a suggested patch below.
--- ext/standard/url.c.orig Mon Sep 24 02:53:54 2001
+++ ext/standard/url.c Mon Sep 24 02:53:38 2001
@@ -239,7 +239,7 @@
{
register int x, y;
unsigned char *str;
- str = (unsigned char *) emalloc(3 * strlen(s) + 1);
+ str = (unsigned char *) emalloc(3 * len + 1);
for (x = 0, y = 0; len--; x++, y++) {
str[y] = (unsigned char) s[x];
if (str[y] == ' ') {
P.S. Thanks for working on PHP, it's a fantastic language
and I appreciate your effort.
-Manuel
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=13413&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
