1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
Backported from 5.6.25 by Remi.
From dc223e524d640167c0f12e942eb52cabd6f89ee4 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 16 Aug 2016 15:58:05 -0700
Subject: [PATCH] Fixed bug #72849 - integer overflow in urlencode
---
ext/standard/url.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ext/standard/url.c b/ext/standard/url.c
index 4b52000..8e471e1 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
*to++ = c;
}
}
+
+ if ((to-start) > INT_MAX) {
+ /* E_ERROR since most clients won't check for error, and this is rather rare condition */
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
+ }
+
*to = 0;
if (new_length) {
*new_length = to - start;
From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 16 Aug 2016 16:34:35 -0700
Subject: [PATCH] Fix TSRM build
---
ext/standard/base64.c | 1 +
ext/standard/url.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/ext/standard/url.c b/ext/standard/url.c
index 8e471e1..dd861a5 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -522,6 +522,7 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
}
if ((to-start) > INT_MAX) {
+ TSRMLS_FETCH();
/* E_ERROR since most clients won't check for error, and this is rather rare condition */
php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
}
|
