-
-
Save anonymous/a3651c52b121b8090c34ebf9fcffd043 to your computer and use it in GitHub Desktop.
Patch for 72551
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 3810e7b362e7bdef00ad33ae683a49aa7ab19e0d | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Tue Jul 12 23:13:52 2016 -0700 | |
Fix bug #72551 and bug #72552 - check before converting size_t->int | |
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c | |
index fb5c638..73acaa2 100644 | |
--- a/ext/mcrypt/mcrypt.c | |
+++ b/ext/mcrypt/mcrypt.c | |
@@ -645,6 +645,10 @@ PHP_FUNCTION(mcrypt_generic) | |
memset(ZSTR_VAL(data_str), 0, data_size); | |
memcpy(ZSTR_VAL(data_str), data, data_len); | |
} else { /* It's not a block algorithm */ | |
+ if (data_len > INT_MAX) { | |
+ php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX); | |
+ RETURN_FALSE; | |
+ } | |
data_size = (int)data_len; | |
data_str = zend_string_alloc(data_size, 0); | |
memset(ZSTR_VAL(data_str), 0, data_size); | |
@@ -695,6 +699,10 @@ PHP_FUNCTION(mdecrypt_generic) | |
memset(data_s, 0, data_size); | |
memcpy(data_s, data, data_len); | |
} else { /* It's not a block algorithm */ | |
+ if (data_len > INT_MAX) { | |
+ php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX); | |
+ RETURN_FALSE; | |
+ } | |
data_size = (int)data_len; | |
data_s = emalloc(data_size + 1); | |
memset(data_s, 0, data_size); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment