Fix potential integer overflow in nl2br

The buffer size was calculated manually, thus creating integer overflows for very large inputs, e.g. nl2br(str_repeat("\n", 613566757)). The code now uses safe_emalloc, thus making the code throw an error instead of crashing.
author: Nikita Popov <nikic@php.net> 2012-07-05 20:31:58 +0200
committer: Nikita Popov <nikic@php.net> 2012-07-05 20:41:54 +0200
commit: 157ddd95773114c1148536b4b32fcbedf0c79b20 (patch)
tree: 1a98388c9e0219156396e8d7871ecd444a3bf3d5
parent: 88f46b162b3bf9bc9a7a1d3d7280f702f5b9f501 (diff)
download: php-git-157ddd95773114c1148536b4b32fcbedf0c79b20.tar.gz
1 files changed, 5 insertions, 6 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c
index a521d78261..1a7bd1e0b4 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4001,13 +4001,12 @@ PHP_FUNCTION(nl2br)
 		RETURN_STRINGL(str, str_len, 1);
 	}
 
-	if (is_xhtml) {
-		new_length = str_len + repl_cnt * (sizeof("<br />") - 1);
-	} else {
-		new_length = str_len + repl_cnt * (sizeof("<br>") - 1);
-	}
+	{
+		size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);
 
-	tmp = target = emalloc(new_length + 1);
+		new_length = str_len + repl_cnt * repl_len;
+		tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1);
+	}
 
 	while (str < end) {
 		switch (*str) {
author	Nikita Popov <nikic@php.net>	2012-07-05 20:31:58 +0200
committer	Nikita Popov <nikic@php.net>	2012-07-05 20:41:54 +0200
commit	157ddd95773114c1148536b4b32fcbedf0c79b20 (patch)
tree	1a98388c9e0219156396e8d7871ecd444a3bf3d5
parent	88f46b162b3bf9bc9a7a1d3d7280f702f5b9f501 (diff)
download	php-git-157ddd95773114c1148536b4b32fcbedf0c79b20.tar.gz