CVE-2002-1396

An attacker can trigger the overflow by supplying a crafted string and a `wordwrap()` call with a `width` argument of 20 and a long `break` string (e.g., "CANITBREAKFOO") with the `cut` flag set to 1 [ref_id=1]. The `wordwrap` function writes one byte past the allocated buffer, corrupting heap metadata. This corruption can later cause a segmentation fault inside `malloc()` when PHP attempts to allocate memory for a subsequent operation (e.g., a PostgreSQL query), leading to denial of service or potentially arbitrary code execution [CWE-122].

The heap-based buffer overflow resides in the `zif_wordwrap` function in PHP's string handling code. The bug was present in PHP versions after 4.1.2 and before 4.3.0, including 4.2.2, 4.2.3, and 4.3.0RC2/RC3.

The patch is not included in the bundle, but the bug report indicates the overflow was fixed between PHP 4.3.0RC2 and the final 4.3.0 release [ref_id=1]. The fix would correct the buffer size calculation in `zif_wordwrap` so that when the `cut` parameter is enabled, the allocated output buffer is large enough to hold the inserted break string without writing past the end. Without this fix, the function writes one or two bytes beyond the allocated block, corrupting adjacent heap memory.

```php <?php $x = "ADV:CLAIM YOUR FORTUNE NOW !!MAKE"; $x .= " xxxxxxxxxxHUNDREDS OF THOUSANDSxxxxxxxxxxxx"; $b = "CANITBREAKFOO"; $x = wordwrap($x, 20, $b, 1); $x = wordwrap($x, 20, $b, 1); ?> ``` Running this script on PHP 4.2.2, 4.2.3, or 4.3.0RC2 causes a segmentation fault [ref_id=1].