From: yoarvi at gmail dot com Operating system: Solaris 5.10 (SPARC) PHP version: 6SVN-2009-11-19 (SVN) PHP Bug Type: *Unicode Issues Bug description: [PATCH] - Insufficient memory allocation for unicode string
Description: ------------ ext/standard/string.c:3460 allocates only 1 extra byte for the terminating null str.u = safe_emalloc(2, UBYTES(old_len), 1); but then assigns a null at line 3482 using *q.u = 0; which writes 2 bytes. The following patch fixes the problem: Index: ext/standard/string.c =================================================================== --- ext/standard/string.c (revision 290968) +++ ext/standard/string.c (working copy) @@ -3457,7 +3457,7 @@ if (type == IS_UNICODE) { old_end.u = old.u + old_len; - str.u = safe_emalloc(2, UBYTES(old_len), 1); + str.u = safe_emalloc(2, UBYTES(old_len), UBYTES(1)); for (p.u = old.u, q.u = str.u; p.u != old_end.u; p.u++) { cp = *p.u; Reproduce code: --------------- ./configure --enable-debug % sapi/cli/php ext/standard/tests/strings/quotemeta_basic.php Expected result: ---------------- *** Testing quotemeta() : basic functionality *** unicode(20) "Hello how are you \?" unicode(19) "\(100 \+ 50\) \* 10" unicode(20) "\\\+\*\?\[\^\]\(\$\)" Actual result: -------------- *** Testing quotemeta() : basic functionality *** unicode(20) "Hello how are you \?" unicode(19) "\(100 \+ 50\) \* 10" [Thu Nov 19 15:35:30 2009] Script: 'ext/standard/tests/strings/quotemeta_basic.php' --------------------------------------- /home/arvi/php-trunk/ext/standard/string.c(3483) : Block 0x0969aed4 status: Beginning: OK (allocated on /home/arvi/php-trunk/ext/standard/string.c:3460, 41 bytes) Start: OK End: Overflown (magic=0x00000000 instead of 0x2C8088DB) 1 byte(s) overflown --------------------------------------- unicode(20) "" [Thu Nov 19 15:35:30 2009] Script: 'ext/standard/tests/strings/quotemeta_basic.php' /home/arvi/php-trunk/ext/standard/string.c(3460) : Freeing 0x0969AED4 (41 bytes), script=ext/standard/tests/strings/quotemeta_basic.php /home/arvi/php-trunk/Zend/zend_alloc.c(2446) : Actual location (location was relayed) === Total 1 memory leaks detected === -- Edit bug report at http://bugs.php.net/?id=50226&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=50226&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=50226&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=50226&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=50226&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=50226&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=50226&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=50226&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=50226&r=needscript Try newer version: http://bugs.php.net/fix.php?id=50226&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=50226&r=support Expected behavior: http://bugs.php.net/fix.php?id=50226&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=50226&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=50226&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=50226&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=50226&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=50226&r=dst IIS Stability: http://bugs.php.net/fix.php?id=50226&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=50226&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=50226&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=50226&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=50226&r=mysqlcfg