Fix bug #72533 (locale_accept_from_http out-of-bounds access)

strk · Jul 13, 2016 · aa82e99 · aa82e99
1 parent 81406c0
commit aa82e99
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 0 deletions.
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
@@ -1591,6 +1591,24 @@ PHP_FUNCTION(locale_accept_from_http)
 		"locale_accept_from_http: unable to parse input parameters", 0 TSRMLS_CC );
 		RETURN_FALSE;
 	}
+	if(http_accept_len > ULOC_FULLNAME_CAPACITY) {
+		/* check each fragment, if any bigger than capacity, can't do it due to bug #72533 */
+		char *start = http_accept;
+		char *end;
+		size_t len;
+		do {
+			end = strchr(start, ',');
+			len = end ? end-start : http_accept_len-(start-http_accept);
+			if(len > ULOC_FULLNAME_CAPACITY) {
+				intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
+						"locale_accept_from_http: locale string too long", 0 TSRMLS_CC );
+				RETURN_FALSE;
+			}
+			if(end) {
+				start = end+1;
+			}
+		} while(end != NULL);
+	}
 
 	available = ures_openAvailableLocales(NULL, &status);
 	INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list");

diff --git a/ext/intl/tests/bug72533.phpt b/ext/intl/tests/bug72533.phpt
@@ -0,0 +1,30 @@
+--TEST--
+Bug #72533 (locale_accept_from_http out-of-bounds access)
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+    $ret = var_export(ut_loc_accept_http(str_repeat('x', 256)), true);
+    $ret .= "\n";
+	if(intl_is_failure(intl_get_error_code())) {
+		$ret .= var_export(intl_get_error_message(), true);
+	}
+    $ret .= "\n";
+    $ret .= var_export(ut_loc_accept_http(str_repeat('en,', 256)), true);
+    $ret .= "\n";
+	if(intl_is_failure(intl_get_error_code())) {
+		$ret .= var_export(intl_get_error_message(), true);
+	}
+    return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_accept_from_http: locale string too long: U_ILLEGAL_ARGUMENT_ERROR'
+'en'