Skip to content

Instantly share code, notes, and snippets.

/72403.diff Secret
Created Jun 16, 2016

Embed
What would you like to do?
Patch for 72403
commit 88746d60ab3ad51797612ee62603bb3e08d4aac4
Author: Stanislav Malyshev <stas@php.net>
Date: Wed Jun 15 21:46:46 2016 -0700
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 63eede1..acb6a01 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -137,6 +137,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t *
register unsigned char *result = NULL;
size_t i, j;
+ if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1);
for (i = j = 0; i < oldlen; i++) {
@@ -2613,6 +2616,7 @@ PHP_FUNCTION(quotemeta)
char *p, *q;
char c;
int old_len;
+ size_t new_len;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) {
return;
@@ -2647,8 +2651,13 @@ PHP_FUNCTION(quotemeta)
}
}
*q = 0;
+ new_len = q - str;
+ if (UNEXPECTED(new_len > INT_MAX)) {
+ efree(str);
+ zend_error(E_ERROR, "String size overflow");
+ }
- RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0);
+ RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0);
}
/* }}} */
@@ -3500,7 +3509,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
char *source, *target;
char *end;
char c;
- int newlen;
+ size_t newlen;
if (!wlength) {
wlength = strlen(what);
@@ -3531,11 +3540,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
}
*target = 0;
newlen = target - new_str;
+ if (UNEXPECTED(newlen > INT_MAX)) {
+ efree(new_str);
+ zend_error(E_ERROR, "String size overflow");
+ }
if (target - new_str < length * 4) {
new_str = erealloc(new_str, newlen + 1);
}
if (new_length) {
- *new_length = newlen;
+ *new_length = (int)newlen;
}
if (should_free) {
STR_FREE((char*)str);
@@ -3587,6 +3600,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f
*target = 0;
*new_length = target - new_str;
+ if (UNEXPECTED(*new_length < 0)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
if (should_free) {
STR_FREE(str);
}
@@ -4290,6 +4306,9 @@ PHP_FUNCTION(nl2br)
size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);
new_length = str_len + repl_cnt * repl_len;
+ if (UNEXPECTED(new_length > INT_MAX)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1);
}
diff --git a/ext/standard/url.c b/ext/standard/url.c
index 27a216a..fc3f080 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -625,6 +625,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
if (new_length) {
*new_length = y;
}
+ if (UNEXPECTED(y > INT_MAX)) {
+ efree(str);
+ zend_error(E_ERROR, "String size overflow");
+ }
return ((char *) str);
}
/* }}} */
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.