Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PHP bug #78875
From 8e8990b69bd90e9292e944a597c13a592813d92c Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 18 Mar 2020 10:26:53 +0100
Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not
cleaned
We must not cast `size_t` to `int` (unless the `size_t` value is
guaranteed to be less than or equal to `INT_MAX`). In this case we can
declare `array_len` as `size_t` in the first place.
---
main/rfc1867.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 8a8e335ef4..617a94d0ef 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -690,7 +690,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
char *lbuf = NULL, *abuf = NULL;
zend_string *temp_filename = NULL;
- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
+ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
+ size_t array_len = 0;
int64_t total_bytes = 0, max_file_size = 0;
int skip_upload = 0, anonindex = 0, is_anonymous;
HashTable *uploaded_files = NULL;
@@ -1124,7 +1125,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
if (is_arr_upload) {
- array_len = (int)strlen(start_arr);
+ array_len = strlen(start_arr);
if (array_index) {
efree(array_index);
}
--
2.25.1.windows.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.