Backported from 5.6.25 by Remi. From 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 15 Aug 2016 23:43:59 -0700 Subject: [PATCH] Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase --- ext/ereg/ereg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c index 5d38d04..8eb833a 100644 --- a/ext/ereg/ereg.c +++ b/ext/ereg/ereg.c @@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase) for (i = j = 0; i < string_len; i++) { c = (unsigned char) string[i]; + if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); + efree(tmp); + RETURN_FALSE; + } if (isalpha(c)) { tmp[j++] = '['; tmp[j++] = toupper(c);