/72403.diff Secret

## 72403.diff
commit 8bb003da20ce4a6d14b37a6de9faa685925da182
Author: Stanislav Malyshev <stas@php.net>
Date:   Wed Jun 15 21:46:46 2016 -0700

    Fix bug #72400 and #72403 - prevent signed int overflows for string lengths

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 63eede1..02f8276 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -137,6 +137,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t *
 	register unsigned char *result = NULL;
 	size_t i, j;

+	if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) {
+		zend_error(E_ERROR, "String size overflow");
+	}
 	result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1);

 	for (i = j = 0; i < oldlen; i++) {
@@ -2613,6 +2616,7 @@ PHP_FUNCTION(quotemeta)
 	char *p, *q;
 	char c;
 	int  old_len;
+	size_t new_len;

 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) {
 		return;
@@ -2647,8 +2651,13 @@ PHP_FUNCTION(quotemeta)
 		}
 	}
 	*q = 0;
+	new_len = q - str;
+	if (UNEXPECTED(new_len > INT_MAX)) {
+		efree(str);
+		zend_error(E_ERROR, "String size overflow");
+	}

-	RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0);
+	RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0);
 }
 /* }}} */

@@ -3500,7 +3509,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
 	char *source, *target;
 	char *end;
 	char c;
-	int  newlen;
+	size_t  newlen;

 	if (!wlength) {
 		wlength = strlen(what);
@@ -3531,11 +3540,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
 	}
 	*target = 0;
 	newlen = target - new_str;
+	if (UNEXPECTED(newlen > INT_MAX)) {
+		efree(new_str);
+		zend_error(E_ERROR, "String size overflow");
+	}
 	if (target - new_str < length * 4) {
 		new_str = erealloc(new_str, newlen + 1);
 	}
 	if (new_length) {
-		*new_length = newlen;
+		*new_length = (int)newlen;
 	}
 	if (should_free) {
 		STR_FREE((char*)str);
@@ -3587,6 +3600,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f

 	*target = 0;
 	*new_length = target - new_str;
+	if (UNEXPECTED(*new_length < 0)) {
+		zend_error(E_ERROR, "String size overflow");
+	}
 	if (should_free) {
 		STR_FREE(str);
 	}
diff --git a/ext/standard/url.c b/ext/standard/url.c
index 27a216a..fc3f080 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -625,6 +625,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
 	if (new_length) {
 		*new_length = y;
 	}
+	if (UNEXPECTED(y > INT_MAX)) {
+		efree(str);
+		zend_error(E_ERROR, "String size overflow");
+	}
 	return ((char *) str);
 }
 /* }}} */
	commit 8bb003da20ce4a6d14b37a6de9faa685925da182
	Author: Stanislav Malyshev <stas@php.net>
	Date: Wed Jun 15 21:46:46 2016 -0700

	Fix bug #72400 and #72403 - prevent signed int overflows for string lengths

	diff --git a/ext/standard/string.c b/ext/standard/string.c
	index 63eede1..02f8276 100644
	--- a/ext/standard/string.c
	+++ b/ext/standard/string.c
	@@ -137,6 +137,9 @@ static char php_bin2hex(const unsigned char old, const size_t oldlen, size_t *
	register unsigned char *result = NULL;
	size_t i, j;

	+ if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) {
	+ zend_error(E_ERROR, "String size overflow");
	+ }
	result = (unsigned char ) safe_emalloc(oldlen, 2 sizeof(char), 1);

	for (i = j = 0; i < oldlen; i++) {
	@@ -2613,6 +2616,7 @@ PHP_FUNCTION(quotemeta)
	char p, q;
	char c;
	int old_len;
	+ size_t new_len;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) {
	return;
	@@ -2647,8 +2651,13 @@ PHP_FUNCTION(quotemeta)
	}
	}
	*q = 0;
	+ new_len = q - str;
	+ if (UNEXPECTED(new_len > INT_MAX)) {
	+ efree(str);
	+ zend_error(E_ERROR, "String size overflow");
	+ }

	- RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0);
	+ RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0);
	}
	/* }}} */

	@@ -3500,7 +3509,7 @@ PHPAPI char php_addcslashes(const char str, int length, int *new_length, int s
	char source, target;
	char *end;
	char c;
	- int newlen;
	+ size_t newlen;

	if (!wlength) {
	wlength = strlen(what);
	@@ -3531,11 +3540,15 @@ PHPAPI char php_addcslashes(const char str, int length, int *new_length, int s
	}
	*target = 0;
	newlen = target - new_str;
	+ if (UNEXPECTED(newlen > INT_MAX)) {
	+ efree(new_str);
	+ zend_error(E_ERROR, "String size overflow");
	+ }
	if (target - new_str < length * 4) {
	new_str = erealloc(new_str, newlen + 1);
	}
	if (new_length) {
	- *new_length = newlen;
	+ *new_length = (int)newlen;
	}
	if (should_free) {
	STR_FREE((char*)str);
	@@ -3587,6 +3600,9 @@ PHPAPI char php_addslashes(char str, int length, int *new_length, int should_f

	*target = 0;
	*new_length = target - new_str;
	+ if (UNEXPECTED(*new_length < 0)) {
	+ zend_error(E_ERROR, "String size overflow");
	+ }
	if (should_free) {
	STR_FREE(str);
	}
	diff --git a/ext/standard/url.c b/ext/standard/url.c
	index 27a216a..fc3f080 100644
	--- a/ext/standard/url.c
	+++ b/ext/standard/url.c
	@@ -625,6 +625,10 @@ PHPAPI char php_raw_url_encode(char const s, int len, int *new_length)
	if (new_length) {
	*new_length = y;
	}
	+ if (UNEXPECTED(y > INT_MAX)) {
	+ efree(str);
	+ zend_error(E_ERROR, "String size overflow");
	+ }
	return ((char *) str);
	}
	/* }}} */