Fixed bug #73473: Stack Buffer Overflow in msgfmt_parse_message

libnex · nikic · commit 95c4564f939c · 2017-06-03T00:05:16.000+02:00
diff --git a/NEWS b/NEWS
@@ -7,6 +7,9 @@ PHP                                                                        NEWS
     properties). (Laruence)
   . Fixed misparsing of abstract unix domain socket names. (Sara)
 
+- Intl:
+  . Fixed bug #73473 (Stack Buffer Overflow in msgfmt_parse_message). (libnex)
+
 - Mbstring:
   . Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227,
     CVE-2017-9228, CVE-2017-9229) (Remi, Mamoru TASAKA)
diff --git a/ext/intl/msgformat/msgformat_parse.c b/ext/intl/msgformat/msgformat_parse.c
@@ -110,6 +110,7 @@ PHP_FUNCTION( msgfmt_parse_message )
 		RETURN_FALSE;
 	}
 
+	INTL_CHECK_LOCALE_LEN(slocale_len);
 	memset(mfo, 0, sizeof(*mfo));
 	msgformat_data_init(&mfo->mf_data);
 

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ PHP_FUNCTION( msgfmt_parse_message )`
`110`	`110`	`RETURN_FALSE;`
`111`	`111`	`}`
`112`	`112`
	`113`	`+ INTL_CHECK_LOCALE_LEN(slocale_len);`
`113`	`114`	`memset(mfo, 0, sizeof(*mfo));`
`114`	`115`	`msgformat_data_init(&mfo->mf_data);`
`115`	`116`