diff options
author | Stanislav Malyshev <stas@php.net> | 2017-06-20 00:09:01 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2017-07-04 19:00:03 -0700 |
commit | 5f8380d33e648964d2d5140f329cf2d4c443033c (patch) | |
tree | 289308d64f217fd4766f80d3f4422e724ca9c265 | |
parent | 89637c6b41b510c20d262c17483f582f115c66d6 (diff) | |
download | php-git-5f8380d33e648964d2d5140f329cf2d4c443033c.tar.gz |
Fix bug #74603 - use correct buffer size
-rw-r--r-- | Zend/tests/bug74603.ini | 1 | ||||
-rw-r--r-- | Zend/tests/bug74603.phpt | 15 | ||||
-rw-r--r-- | Zend/zend_ini_parser.y | 2 |
3 files changed, 17 insertions, 1 deletions
diff --git a/Zend/tests/bug74603.ini b/Zend/tests/bug74603.ini new file mode 100644 index 0000000000..8d74a570ec --- /dev/null +++ b/Zend/tests/bug74603.ini @@ -0,0 +1 @@ +0=0&~2000000000 diff --git a/Zend/tests/bug74603.phpt b/Zend/tests/bug74603.phpt new file mode 100644 index 0000000000..b3194ecd48 --- /dev/null +++ b/Zend/tests/bug74603.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability) +--SKIPIF-- +<?php +if (PHP_INT_MAX !== 2147483647) + die('skip for 32-bit only'); +--FILE-- +<?php +var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL)); +?> +--EXPECT-- +array(1) { + [0]=> + string(1) "0" +} diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y index ea4771a111..ad8a84dd2c 100644 --- a/Zend/zend_ini_parser.y +++ b/Zend/zend_ini_parser.y @@ -53,7 +53,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2) { int i_result; int i_op1, i_op2; - char str_result[MAX_LENGTH_OF_LONG]; + char str_result[MAX_LENGTH_OF_LONG+1]; i_op1 = atoi(Z_STRVAL_P(op1)); free(Z_STRVAL_P(op1)); |