-
-
Save anonymous/b7d11aa951ce3eda74379abaad0db882 to your computer and use it in GitHub Desktop.
Patch for 72403
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 8bb003da20ce4a6d14b37a6de9faa685925da182 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Wed Jun 15 21:46:46 2016 -0700 | |
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths | |
diff --git a/ext/standard/string.c b/ext/standard/string.c | |
index 63eede1..02f8276 100644 | |
--- a/ext/standard/string.c | |
+++ b/ext/standard/string.c | |
@@ -137,6 +137,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t * | |
register unsigned char *result = NULL; | |
size_t i, j; | |
+ if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) { | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1); | |
for (i = j = 0; i < oldlen; i++) { | |
@@ -2613,6 +2616,7 @@ PHP_FUNCTION(quotemeta) | |
char *p, *q; | |
char c; | |
int old_len; | |
+ size_t new_len; | |
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) { | |
return; | |
@@ -2647,8 +2651,13 @@ PHP_FUNCTION(quotemeta) | |
} | |
} | |
*q = 0; | |
+ new_len = q - str; | |
+ if (UNEXPECTED(new_len > INT_MAX)) { | |
+ efree(str); | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
- RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0); | |
+ RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0); | |
} | |
/* }}} */ | |
@@ -3500,7 +3509,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s | |
char *source, *target; | |
char *end; | |
char c; | |
- int newlen; | |
+ size_t newlen; | |
if (!wlength) { | |
wlength = strlen(what); | |
@@ -3531,11 +3540,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s | |
} | |
*target = 0; | |
newlen = target - new_str; | |
+ if (UNEXPECTED(newlen > INT_MAX)) { | |
+ efree(new_str); | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
if (target - new_str < length * 4) { | |
new_str = erealloc(new_str, newlen + 1); | |
} | |
if (new_length) { | |
- *new_length = newlen; | |
+ *new_length = (int)newlen; | |
} | |
if (should_free) { | |
STR_FREE((char*)str); | |
@@ -3587,6 +3600,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f | |
*target = 0; | |
*new_length = target - new_str; | |
+ if (UNEXPECTED(*new_length < 0)) { | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
if (should_free) { | |
STR_FREE(str); | |
} | |
diff --git a/ext/standard/url.c b/ext/standard/url.c | |
index 27a216a..fc3f080 100644 | |
--- a/ext/standard/url.c | |
+++ b/ext/standard/url.c | |
@@ -625,6 +625,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length) | |
if (new_length) { | |
*new_length = y; | |
} | |
+ if (UNEXPECTED(y > INT_MAX)) { | |
+ efree(str); | |
+ zend_error(E_ERROR, "String size overflow"); | |
+ } | |
return ((char *) str); | |
} | |
/* }}} */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment