/72838.diff Secret

## 72838.diff
commit 165336bfa6c06bb90f5ee4e70fc248e072bbf96c
Author: Stanislav Malyshev <stas@php.net>
Date:   Mon Aug 15 23:43:59 2016 -0700

    Fix bug #72838 - 	Integer overflow lead to heap corruption in sql_regcase

diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 5d38d04..8eb833a 100644
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)

 	for (i = j = 0; i < string_len; i++) {
 		c = (unsigned char) string[i];
+		if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
+			efree(tmp);
+			RETURN_FALSE;
+		}
 		if (isalpha(c)) {
 			tmp[j++] = '[';
 			tmp[j++] = toupper(c);
	commit 165336bfa6c06bb90f5ee4e70fc248e072bbf96c
	Author: Stanislav Malyshev <stas@php.net>
	Date: Mon Aug 15 23:43:59 2016 -0700

	Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase

	diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
	index 5d38d04..8eb833a 100644
	--- a/ext/ereg/ereg.c
	+++ b/ext/ereg/ereg.c
	@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)

	for (i = j = 0; i < string_len; i++) {
	c = (unsigned char) string[i];
	+ if ( j >= INT_MAX - 1 \|\| (isalpha(c) && j >= INT_MAX - 4)) {
	+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
	+ efree(tmp);
	+ RETURN_FALSE;
	+ }
	if (isalpha(c)) {
	tmp[j++] = '[';
	tmp[j++] = toupper(c);