Backported from 5.5.37 for 5.4 by Remi Collet From 489fd56fe37bf40a662931c2b4d5baa918f13e37 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 13 Jun 2016 23:12:47 -0700 Subject: [PATCH] Fix bug #72275: don't allow smart_str to overflow int --- ext/standard/php_smart_str.h | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/ext/standard/php_smart_str.h b/ext/standard/php_smart_str.h index 1872fa8..fc1a753 100644 --- a/ext/standard/php_smart_str.h +++ b/ext/standard/php_smart_str.h @@ -63,6 +63,9 @@ newlen = (d)->len + (n); \ if (newlen >= (d)->a) { \ (d)->a = newlen + SMART_STR_PREALLOC; \ + if (UNEXPECTED((d)->a >= INT_MAX)) { \ + zend_error(E_ERROR, "String size overflow"); \ + } \ SMART_STR_DO_REALLOC(d, what); \ } \ } \ @@ -148,17 +151,17 @@ * for GCC compatible compilers, e.g. * * #define f(..) ({char *r;..;__r;}) - */ - + */ + static inline char *smart_str_print_long(char *buf, long num) { - char *r; - smart_str_print_long4(buf, num, unsigned long, r); + char *r; + smart_str_print_long4(buf, num, unsigned long, r); return r; } static inline char *smart_str_print_unsigned(char *buf, long num) { - char *r; - smart_str_print_unsigned4(buf, num, unsigned long, r); + char *r; + smart_str_print_unsigned4(buf, num, unsigned long, r); return r; } @@ -168,7 +171,7 @@ static inline char *smart_str_print_unsigned(char *buf, long num) { smart_str_print##func##4 (__b + sizeof(__b) - 1, (num), vartype, __t); \ smart_str_appendl_ex((dest), __t, __b + sizeof(__b) - 1 - __t, (type)); \ } while (0) - + #define smart_str_append_unsigned_ex(dest, num, type) \ smart_str_append_generic_ex((dest), (num), (type), unsigned long, _unsigned)