Home > php教程 > php手册 > PHP4.4.2中关于BASE64编码中的一点BUG

PHP4.4.2中关于BASE64编码中的一点BUG

WBOY
Release: 2016-06-06 19:46:09
Original
888 people have browsed it

今天偶然调试时,发现了base64编码时内存分配的BUG,为编码分配的缓冲区计算方式有隐患,偶尔出现缓冲区过小,导致后续堆内存被覆盖,访问越界. php-4.4.2/ext/standard/base64.c /* {{{ php_base64_encode */ PHPAPI unsigned char *php_base64_encode(const uns

今天偶然调试时,发现了base64编码时内存分配的BUG,为编码分配的缓冲区计算方式有隐患,偶尔出现缓冲区过小,导致后续堆内存被覆盖,访问越界.

php-4.4.2/ext/standard/base64.c

/* {{{ php_base64_encode */
PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, int *ret_length)
{
 const unsigned char *current = str;
 unsigned char *p;
 unsigned char *result;

 if ((length + 2) = (1   if (ret_length != NULL) {
   *ret_length = 0;
  }
  return NULL;
 }

 result = (unsigned char *)safe_emalloc(((length + 2) / 3) * 4, sizeof(char), 1);
 p = result;

 while (length > 2) { /* keep going until we have less than 24 bits */
  *p++ = base64_table[current[0] >> 2];
  *p++ = base64_table[((current[0] & 0x03) > 4)];
  *p++ = base64_table[((current[1] & 0x0f) > 6)];
  *p++ = base64_table[current[2] & 0x3f];

  current += 3;
  length -= 3; /* we just handle 3 octets of data */
 }

 /* now deal with the tail end of things */
 if (length != 0) {
  *p++ = base64_table[current[0] >> 2];
  if (length > 1) {
   *p++ = base64_table[((current[0] & 0x03) > 4)];
   *p++ = base64_table[(current[1] & 0x0f)    *p++ = base64_pad;
  } else {
   *p++ = base64_table[(current[0] & 0x03)    *p++ = base64_pad;
   *p++ = base64_pad;
  }
 }
 if (ret_length != NULL) {
  *ret_length = (int)(p - result);
 }
 *p = '/0';
 return result;

我觉得计算方式应改为如下:

 /* Account the result buffer size and alloc the memory for it. */
 if ((length % 3) != 0)
 {
  padnum = 3 - length % 3;
 }

 retsize = (length + padnum) + ((length + padnum) / 3) + 1; // 正确的大小
稍微解释一下,因为BASE64需要将3个8位字节转换成4个6位的元组,4个6位元组每一组都可以用编码表中的一个ASCII码表示,这样的话,即就是每3个字节会多出一个字节,所以最终编码应该多出((length + padnum) / 3)个. 原理就是如此,而standard中默认的编码内存分配计算得有隐患.

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Recommendations
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template