diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-05-09 22:17:20 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-05-09 22:17:20 -0700 |
| commit | 41fc3c76e97a36ff3b505da7d704ca17bb171fdf (patch) | |
| tree | b3bf15224133812a68cd443bef5a270a00a3a114 | |
| parent | abd159cce48f3e34f08e4751c568e09677d5ec9c (diff) | |
| download | php-git-41fc3c76e97a36ff3b505da7d704ca17bb171fdf.tar.gz | |
Add check for string overflow to all string add operations
| -rw-r--r-- | Zend/zend_operators.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c index e0812fccc4..2f1394f78d 100644 --- a/Zend/zend_operators.c +++ b/Zend/zend_operators.c @@ -1254,6 +1254,10 @@ ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2) int length = Z_STRLEN_P(op1) + 1; char *buf; + if (UNEXPECTED(length < 0)) { + zend_error(E_ERROR, "String size overflow"); + } + if (IS_INTERNED(Z_STRVAL_P(op1))) { buf = (char *) emalloc(length + 1); memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1)); @@ -1273,6 +1277,9 @@ ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2 int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2); char *buf; + if (UNEXPECTED(length < 0)) { + zend_error(E_ERROR, "String size overflow"); + } if (IS_INTERNED(Z_STRVAL_P(op1))) { buf = (char *) emalloc(length+1); memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1)); |