-
-
Save anonymous/ae822865b9f445fed46bde0654046df3 to your computer and use it in GitHub Desktop.
Patch for 72838
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 165336bfa6c06bb90f5ee4e70fc248e072bbf96c | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Mon Aug 15 23:43:59 2016 -0700 | |
Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase | |
diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c | |
index 5d38d04..8eb833a 100644 | |
--- a/ext/ereg/ereg.c | |
+++ b/ext/ereg/ereg.c | |
@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase) | |
for (i = j = 0; i < string_len; i++) { | |
c = (unsigned char) string[i]; | |
+ if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) { | |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); | |
+ efree(tmp); | |
+ RETURN_FALSE; | |
+ } | |
if (isalpha(c)) { | |
tmp[j++] = '['; | |
tmp[j++] = toupper(c); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment