From: yoarvi at gmail dot com
Operating system: Solaris 5.10 (SPARC)
PHP version: 6SVN-2009-11-19 (SVN)
PHP Bug Type: *Unicode Issues
Bug description: [PATCH] - Insufficient memory allocation for unicode string
Description:
------------
ext/standard/string.c:3460 allocates only 1 extra byte for the terminating
null
str.u = safe_emalloc(2, UBYTES(old_len), 1);
but then assigns a null at line 3482 using
*q.u = 0;
which writes 2 bytes.
The following patch fixes the problem:
Index: ext/standard/string.c
===================================================================
--- ext/standard/string.c (revision 290968)
+++ ext/standard/string.c (working copy)
@@ -3457,7 +3457,7 @@
if (type == IS_UNICODE) {
old_end.u = old.u + old_len;
- str.u = safe_emalloc(2, UBYTES(old_len), 1);
+ str.u = safe_emalloc(2, UBYTES(old_len), UBYTES(1));
for (p.u = old.u, q.u = str.u; p.u != old_end.u; p.u++) {
cp = *p.u;
Reproduce code:
---------------
./configure --enable-debug
% sapi/cli/php ext/standard/tests/strings/quotemeta_basic.php
Expected result:
----------------
*** Testing quotemeta() : basic functionality ***
unicode(20) "Hello how are you \?"
unicode(19) "\(100 \+ 50\) \* 10"
unicode(20) "\\\+\*\?\[\^\]\(\$\)"
Actual result:
--------------
*** Testing quotemeta() : basic functionality ***
unicode(20) "Hello how are you \?"
unicode(19) "\(100 \+ 50\) \* 10"
[Thu Nov 19 15:35:30 2009] Script:
'ext/standard/tests/strings/quotemeta_basic.php'
---------------------------------------
/home/arvi/php-trunk/ext/standard/string.c(3483) : Block 0x0969aed4
status:
Beginning: OK (allocated on
/home/arvi/php-trunk/ext/standard/string.c:3460, 41 bytes)
Start: OK
End: Overflown (magic=0x00000000 instead of 0x2C8088DB)
1 byte(s) overflown
---------------------------------------
unicode(20) ""
[Thu Nov 19 15:35:30 2009] Script:
'ext/standard/tests/strings/quotemeta_basic.php'
/home/arvi/php-trunk/ext/standard/string.c(3460) : Freeing 0x0969AED4 (41
bytes), script=ext/standard/tests/strings/quotemeta_basic.php
/home/arvi/php-trunk/Zend/zend_alloc.c(2446) : Actual location (location
was relayed)
=== Total 1 memory leaks detected ===
--
Edit bug report at http://bugs.php.net/?id=50226&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=50226&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=50226&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=50226&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=50226&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=50226&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=50226&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=50226&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=50226&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=50226&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=50226&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=50226&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=50226&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=50226&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=50226&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50226&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=50226&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=50226&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=50226&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=50226&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=50226&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=50226&r=mysqlcfg
