Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:32374 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49508 invoked by uid 1010); 18 Sep 2007 23:44:08 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 49493 invoked from network); 18 Sep 2007 23:44:08 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Sep 2007 23:44:08 -0000 Authentication-Results: pb1.pair.com header.from=madcoder@debian.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=madcoder@debian.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain debian.org from 88.191.52.104 cause and error) X-PHP-List-Original-Sender: madcoder@debian.org X-Host-Fingerprint: 88.191.52.104 pan.madism.org Received: from [88.191.52.104] ([88.191.52.104:37794] helo=hermes.madism.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E0/C0-40228-6C260F64 for ; Tue, 18 Sep 2007 19:44:07 -0400 Received: from madism.org (olympe.madism.org [82.243.245.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "artemis.madism.org", Issuer "madism.org" (not verified)) by hermes.madism.org (Postfix) with ESMTP id C016B20323; Wed, 19 Sep 2007 01:43:53 +0200 (CEST) Received: by madism.org (Postfix, from userid 1000) id 0CE74344A4B; Wed, 19 Sep 2007 01:43:53 +0200 (CEST) Date: Wed, 19 Sep 2007 01:43:53 +0200 To: sean finney , 442250@bugs.debian.org Cc: Stanislav Malyshev , internals@lists.php.net, team@security.debian.org, 442247@bugs.debian.org, control@bugs.debian.org Message-ID: <20070918234352.GA31756@artemis.corp> References: <200709182130.44018.seanius@seanius.net> <200709182252.11222.seanius@seanius.net> <46F03B70.1040405@zend.com> <200709182348.59077.seanius@seanius.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="XsQoSWH+UP9D9v3l"; protocol="application/pgp-signature"; micalg=SHA1 Content-Disposition: inline In-Reply-To: <200709182348.59077.seanius@seanius.net> User-Agent: Madmutt/devel (Linux) Subject: Re: Bug#442250: [PHP-DEV] CVE-2007-4840 From: madcoder@debian.org (Pierre Habouzit) --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable tag 442250 + wontfix thanks On Tue, Sep 18, 2007 at 09:48:55PM +0000, sean finney wrote: > iconv_t > iconv_open (const char *tocode, const char *fromcode) > { > char *tocode_conv; > char *fromcode_conv; > size_t tocode_len; > size_t fromcode_len; > __gconv_t cd; > int res; >=20 > /* Normalize the name. We remove all characters beside alpha-numeric, > '_', '-', '/', '.', and ':'. */ > tocode_len =3D strlen (tocode); > tocode_conv =3D (char *) alloca (tocode_len + 3); > .... > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > so it's not surprising that big strings could end up being problematic... OTOH the caller should check those are likely charsets. I mean calling iconv_open with strhings that are longer than a few octets is completely silly. The longest charset the libc recognize is 22 chars long, 32 if you append //TRANSLIT to it. mallocing for that is completly silly, and the caller should do some basic sanitizing first. --=20 =C2=B7O=C2=B7 Pierre Habouzit =C2=B7=C2=B7O madcoder@debia= n.org OOO http://www.madism.org --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQBG8GK4vGr7W6HudhwRAnfpAKClcuN2UWLHmRi/j6k6zN5iRfMfXwCgkEDn 9oqDxmierohayM8gYh9g6QQ= =nZO1 -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--