Skip to content

Instantly share code, notes, and snippets.

/72838.diff Secret
Created Aug 16, 2016

Embed
What would you like to do?
Patch for 72838
commit 165336bfa6c06bb90f5ee4e70fc248e072bbf96c
Author: Stanislav Malyshev <stas@php.net>
Date: Mon Aug 15 23:43:59 2016 -0700
Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase
diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 5d38d04..8eb833a 100644
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
for (i = j = 0; i < string_len; i++) {
c = (unsigned char) string[i];
+ if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
+ efree(tmp);
+ RETURN_FALSE;
+ }
if (isalpha(c)) {
tmp[j++] = '[';
tmp[j++] = toupper(c);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.