1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
Backported from 5.6.25 by Remi.
From 791a98eb1c66d2340b4e897ab60e4a6700435b5b Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Thu, 11 Aug 2016 23:36:25 -0700
Subject: [PATCH] Fix for bug #72807 - do not produce strings with negative
length
---
Zend/zend_API.h | 7 +++++--
ext/curl/interface.c | 4 ++++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/Zend/zend_API.h b/Zend/zend_API.h
index a56075e..e17be4c 100644
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@@ -444,7 +444,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval
#define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC)
#define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC)
#define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC)
-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
+#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC);
@@ -455,7 +455,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache;
/** Build zend_call_info/cache from a zval*
*
- * Caller is responsible to provide a return value, otherwise the we will crash.
+ * Caller is responsible to provide a return value, otherwise the we will crash.
* fci->retval_ptr_ptr = NULL;
* In order to pass parameters the following members need to be set:
* fci->param_count = 0;
@@ -575,6 +575,9 @@ END_EXTERN_C()
const char *__s=(s); \
zval *__z = (z); \
Z_STRLEN_P(__z) = strlen(__s); \
+ if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \
+ zend_error(E_ERROR, "String size overflow"); \
+ } \
Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\
Z_TYPE_P(__z) = IS_STRING; \
} while (0)
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index c7112a0..062f996 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -3506,6 +3506,10 @@ PHP_FUNCTION(curl_escape)
ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
if ((res = curl_easy_escape(ch->cp, str, str_len))) {
+ if (strlen(res) > INT_MAX) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX);
+ RETURN_FALSE;
+ }
RETVAL_STRING(res, 1);
curl_free(res);
} else {
|
