1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
Backported from 5.5 for 5.4 by Remi Collet
From 41fc3c76e97a36ff3b505da7d704ca17bb171fdf Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 9 May 2016 22:17:20 -0700
Subject: [PATCH] Add check for string overflow to all string add operations
---
Zend/zend_operators.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index e0812fc..2f1394f 100644
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1199,6 +1199,10 @@ ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2)
int length = Z_STRLEN_P(op1) + 1;
char *buf;
+ if (UNEXPECTED(length < 0)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
+
if (IS_INTERNED(Z_STRVAL_P(op1))) {
buf = (char *) emalloc(length + 1);
memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
@@ -1218,6 +1222,9 @@ ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2
int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
char *buf;
+ if (UNEXPECTED(length < 0)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
if (IS_INTERNED(Z_STRVAL_P(op1))) {
buf = (char *) emalloc(length+1);
memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
|
