-
-
Save smalyshev/06070802c576df949aab to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 57b997ebf99e0eb9a073e0dafd2ab100bd4a112d | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sun Feb 21 23:14:29 2016 -0800 | |
Fix bug #71637: Multiple Heap Overflow due to integer overflows | |
diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c | |
index ff27bdb..0b11ecf 100644 | |
--- a/ext/filter/sanitizing_filters.c | |
+++ b/ext/filter/sanitizing_filters.c | |
@@ -87,7 +87,7 @@ static void php_filter_encode_url(zval *value, const unsigned char* chars, const | |
memset(tmp, 1, 32); | |
} | |
*/ | |
- str = zend_string_alloc(3 * Z_STRLEN_P(value), 0); | |
+ str = zend_string_safe_alloc(Z_STRLEN_P(value), 3, 0, 0); | |
p = (unsigned char *) ZSTR_VAL(str); | |
s = (unsigned char *) Z_STRVAL_P(value); | |
e = s + Z_STRLEN_P(value); | |
diff --git a/ext/standard/string.c b/ext/standard/string.c | |
index 489006b..7b6ad8e 100644 | |
--- a/ext/standard/string.c | |
+++ b/ext/standard/string.c | |
@@ -5372,7 +5372,7 @@ PHP_FUNCTION(str_pad) | |
return; | |
} | |
- result = zend_string_alloc(ZSTR_LEN(input) + num_pad_chars, 0); | |
+ result = zend_string_safe_alloc(ZSTR_LEN(input), 1, num_pad_chars, 0); | |
ZSTR_LEN(result) = 0; | |
/* We need to figure out the left/right padding lengths. */ | |
diff --git a/ext/xml/xml.c b/ext/xml/xml.c | |
index d6eae46..bfa1b85 100644 | |
--- a/ext/xml/xml.c | |
+++ b/ext/xml/xml.c | |
@@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch | |
} | |
/* This is the theoretical max (will never get beyond len * 2 as long | |
* as we are converting from single-byte characters, though) */ | |
- str = zend_string_alloc(len * 4, 0); | |
+ str = zend_string_safe_alloc(len, 4, 0, 0); | |
ZSTR_LEN(str) = 0; | |
while (pos > 0) { | |
c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment