[PHP-DEV] Bug #13413 Updated: Seg Fault when urlencoding a binary string

Sat, 20 Oct 2001 03:29:11 -0700 

ID: 13413
Updated by: derick
Reported By: [EMAIL PROTECTED]
Old Status: Assigned
Status: Closed
Bug Type: Strings related
Operating System: Linux 2.4
PHP Version: 4.0.6
Old Assigned To: derick
Assigned To: 
New Comment:

Fixed in CVS

Previous Comments:
------------------------------------------------------------------------

[2001-10-20 06:00:04] [EMAIL PROTECTED]

Reproduced on Win2K (PHP-4.1.0RC1, Apache 1.3.22, it simply crashes) and Debian Linux 
(PHP-4.0.6 on Apache 1.3.20, segfaults in error_log).

Marking as critical.

------------------------------------------------------------------------

[2001-09-24 06:23:21] [EMAIL PROTECTED]

If we pass a binary string which contains a byte with
an ASCII value of "0" to urlencode, then PHP will segfault.

This short script will demonstrate the problem.  Notice
that I am using urldecode because I have no way
of printing an ascii value of 0.

<?
$initString = "%00an%3E";
$binaryString = urldecode($initString);
$encodedString = urlencode($binaryString);
?>

I believe the problem is in file ../ext/standard/url.c
and in function php_url_encode().  This function uses
allocates memory for the new string after determining
the length of the input string via strlen(). However, a 
binary string could contain a byte with a value of zero, 
thereby yielding a shorter string length and not enough
memory allocated.

I'll also include a suggested patch below.

--- ext/standard/url.c.orig     Mon Sep 24 02:53:54 2001
+++ ext/standard/url.c  Mon Sep 24 02:53:38 2001
@@ -239,7 +239,7 @@
 {
        register int x, y;
        unsigned char *str;
-       str = (unsigned char *) emalloc(3 * strlen(s) + 1);
+       str = (unsigned char *) emalloc(3 * len + 1);
        for (x = 0, y = 0; len--; x++, y++) {
                str[y] = (unsigned char) s[x];
                if (str[y] == ' ') {





P.S. Thanks for working on PHP, it's a fantastic language
and I appreciate your effort.

-Manuel


------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=13413&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to