-
-
Save anonymous/282fcf1d02dc9583e3633e9d867adcec to your computer and use it in GitHub Desktop.
Patch for 72403
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 88746d60ab3ad51797612ee62603bb3e08d4aac4 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Wed Jun 15 21:46:46 2016 -0700 | |
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths | |
diff --git a/ext/standard/string.c b/ext/standard/string.c | |
index 63eede1..acb6a01 100644 | |
--- a/ext/standard/string.c | |
+++ b/ext/standard/string.c | |
@@ -137,6 +137,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t * | |
register unsigned char *result = NULL; | |
size_t i, j; | |
+ if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) { | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1); | |
for (i = j = 0; i < oldlen; i++) { | |
@@ -2613,6 +2616,7 @@ PHP_FUNCTION(quotemeta) | |
char *p, *q; | |
char c; | |
int old_len; | |
+ size_t new_len; | |
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) { | |
return; | |
@@ -2647,8 +2651,13 @@ PHP_FUNCTION(quotemeta) | |
} | |
} | |
*q = 0; | |
+ new_len = q - str; | |
+ if (UNEXPECTED(new_len > INT_MAX)) { | |
+ efree(str); | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
- RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0); | |
+ RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0); | |
} | |
/* }}} */ | |
@@ -3500,7 +3509,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s | |
char *source, *target; | |
char *end; | |
char c; | |
- int newlen; | |
+ size_t newlen; | |
if (!wlength) { | |
wlength = strlen(what); | |
@@ -3531,11 +3540,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s | |
} | |
*target = 0; | |
newlen = target - new_str; | |
+ if (UNEXPECTED(newlen > INT_MAX)) { | |
+ efree(new_str); | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
if (target - new_str < length * 4) { | |
new_str = erealloc(new_str, newlen + 1); | |
} | |
if (new_length) { | |
- *new_length = newlen; | |
+ *new_length = (int)newlen; | |
} | |
if (should_free) { | |
STR_FREE((char*)str); | |
@@ -3587,6 +3600,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f | |
*target = 0; | |
*new_length = target - new_str; | |
+ if (UNEXPECTED(*new_length < 0)) { | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
if (should_free) { | |
STR_FREE(str); | |
} | |
@@ -4290,6 +4306,9 @@ PHP_FUNCTION(nl2br) | |
size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1); | |
new_length = str_len + repl_cnt * repl_len; | |
+ if (UNEXPECTED(new_length > INT_MAX)) { | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1); | |
} | |
diff --git a/ext/standard/url.c b/ext/standard/url.c | |
index 27a216a..fc3f080 100644 | |
--- a/ext/standard/url.c | |
+++ b/ext/standard/url.c | |
@@ -625,6 +625,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length) | |
if (new_length) { | |
*new_length = y; | |
} | |
+ if (UNEXPECTED(y > INT_MAX)) { | |
+ efree(str); | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
return ((char *) str); | |
} | |
/* }}} */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment