Fixed bug #76532 (excessive memory usage in mb_strimwidth)

Marcus Schwarz · nikic · commit bf5a802f5a87 · 2018-06-28T23:02:28.000+02:00
diff --git a/NEWS b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
   . Fixed bug #73342 (Vulnerability in php-fpm by changing stdin to
     non-blocking). (Nikita)
 
+- mbstring:
+  . Fixed bug #76532 (Integer overflow and excessive memory usage
+    in mb_strimwidth). (MarcusSchwarz)
+
 - phpdbg:
   . Fix arginfo wrt. optional/required parameters. (cmb)
 
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -1875,7 +1875,7 @@ mbfl_strimwidth(
 	mbfl_string_init(result);
 	result->no_language = string->no_language;
 	result->no_encoding = string->no_encoding;
-	mbfl_memory_device_init(&pc.device, width, 0);
+	mbfl_memory_device_init(&pc.device, MIN(string->len, width), 0);
 
 	/* output code filter */
 	pc.decoder = mbfl_convert_filter_new(
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.h b/ext/mbstring/libmbfl/mbfl/mbfilter.h
@@ -113,6 +113,13 @@
 #define MBFL_OUTPUTFILTER_ILLEGAL_MODE_LONG 2
 #define MBFL_OUTPUTFILTER_ILLEGAL_MODE_ENTITY 3
 
+/*
+ * convenience macros
+ */
+#ifndef MIN
+#define MIN(a,b) ((a)<(b)?(a):(b))
+#endif
+
 /*
  * buffering converter
  */
diff --git a/ext/mbstring/tests/bug76532.phpt b/ext/mbstring/tests/bug76532.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #76532 (Integer overflow and excessive memory usage in mb_strimwidth)
+--SKIPIF--
+<?php require 'skipif.inc'; ?>
+--FILE--
+<?php
+$string_to_trim = '得很幸福。有一天，一个长得很丑的老人带着一只木马来到王';
+$width = 2147483647;
+var_dump(mb_strimwidth($string_to_trim, 0, $width));
+?>
+--EXPECT--
+string(81) "得很幸福。有一天，一个长得很丑的老人带着一只木马来到王"
