summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2016-05-09 21:55:29 -0700
committerStanislav Malyshev <stas@php.net>2016-05-09 21:55:29 -0700
commitabd159cce48f3e34f08e4751c568e09677d5ec9c (patch)
treed1e85639144aab8e3d315c21fe5ad262401acfea
parent95ed19ae28009aa7b3ed42d5760478de82640560 (diff)
downloadphp-git-abd159cce48f3e34f08e4751c568e09677d5ec9c.tar.gz
Fix bug #72114 - int/size_t confusion in fread
Diffstat
-rw-r--r--ext/standard/file.c6
-rw-r--r--ext/standard/tests/file/bug72114.phpt12
2 files changed, 18 insertions, 0 deletions
diff --git a/ext/standard/file.c b/ext/standard/file.c
index 0abc022ca6..e39c84f1cd 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -1758,6 +1758,12 @@ PHPAPI PHP_FUNCTION(fread)
RETURN_FALSE;
}
+ if (len > INT_MAX) {
+ /* string length is int in 5.x so we can not read more than int */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
+ RETURN_FALSE;
+ }
+
Z_STRVAL_P(return_value) = emalloc(len + 1);
Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
diff --git a/ext/standard/tests/file/bug72114.phpt b/ext/standard/tests/file/bug72114.phpt
new file mode 100644
index 0000000000..5e591ee478
--- /dev/null
+++ b/ext/standard/tests/file/bug72114.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
+--FILE--
+<?php
+ini_set('memory_limit', "2500M");
+$fp = fopen("/dev/zero", "r");
+fread($fp, 2147483648);
+?>
+Done
+--EXPECTF--
+Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
+Done
View Lorry Controller Status