1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
Backported from 5.5.37 for 5.4 by Remi Collet
From 489fd56fe37bf40a662931c2b4d5baa918f13e37 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 13 Jun 2016 23:12:47 -0700
Subject: [PATCH] Fix bug #72275: don't allow smart_str to overflow int
---
ext/standard/php_smart_str.h | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/ext/standard/php_smart_str.h b/ext/standard/php_smart_str.h
index 1872fa8..fc1a753 100644
--- a/ext/standard/php_smart_str.h
+++ b/ext/standard/php_smart_str.h
@@ -63,6 +63,9 @@
newlen = (d)->len + (n); \
if (newlen >= (d)->a) { \
(d)->a = newlen + SMART_STR_PREALLOC; \
+ if (UNEXPECTED((d)->a >= INT_MAX)) { \
+ zend_error(E_ERROR, "String size overflow"); \
+ } \
SMART_STR_DO_REALLOC(d, what); \
} \
} \
@@ -148,17 +151,17 @@
* for GCC compatible compilers, e.g.
*
* #define f(..) ({char *r;..;__r;})
- */
-
+ */
+
static inline char *smart_str_print_long(char *buf, long num) {
- char *r;
- smart_str_print_long4(buf, num, unsigned long, r);
+ char *r;
+ smart_str_print_long4(buf, num, unsigned long, r);
return r;
}
static inline char *smart_str_print_unsigned(char *buf, long num) {
- char *r;
- smart_str_print_unsigned4(buf, num, unsigned long, r);
+ char *r;
+ smart_str_print_unsigned4(buf, num, unsigned long, r);
return r;
}
@@ -168,7 +171,7 @@ static inline char *smart_str_print_unsigned(char *buf, long num) {
smart_str_print##func##4 (__b + sizeof(__b) - 1, (num), vartype, __t); \
smart_str_appendl_ex((dest), __t, __b + sizeof(__b) - 1 - __t, (type)); \
} while (0)
-
+
#define smart_str_append_unsigned_ex(dest, num, type) \
smart_str_append_generic_ex((dest), (num), (type), unsigned long, _unsigned)
|
