diff options
author | Stanislav Malyshev <stas@php.net> | 2017-06-20 00:09:01 -0700 |
---|---|---|
committer | Joe Watkins <krakjoe@php.net> | 2017-07-06 07:43:43 +0100 |
commit | 88c521d659521f695e0b9e7fcdded0fc1ee1c53b (patch) | |
tree | 4dd2c8412c6e96011f13745527a1ff6680267475 | |
parent | 7378e7bdc8c3d7c7bbd7dc72bc5fb6cf724955a2 (diff) | |
download | php-git-88c521d659521f695e0b9e7fcdded0fc1ee1c53b.tar.gz |
Fix bug #74603 - use correct buffer size
-rw-r--r-- | Zend/tests/bug74603.ini | 1 | ||||
-rw-r--r-- | Zend/tests/bug74603.phpt | 15 | ||||
-rw-r--r-- | Zend/zend_ini_parser.y | 2 |
3 files changed, 17 insertions, 1 deletions
diff --git a/Zend/tests/bug74603.ini b/Zend/tests/bug74603.ini new file mode 100644 index 0000000000..8d74a570ec --- /dev/null +++ b/Zend/tests/bug74603.ini @@ -0,0 +1 @@ +0=0&~2000000000 diff --git a/Zend/tests/bug74603.phpt b/Zend/tests/bug74603.phpt new file mode 100644 index 0000000000..b3194ecd48 --- /dev/null +++ b/Zend/tests/bug74603.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability) +--SKIPIF-- +<?php +if (PHP_INT_MAX !== 2147483647) + die('skip for 32-bit only'); +--FILE-- +<?php +var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL)); +?> +--EXPECT-- +array(1) { + [0]=> + string(1) "0" +} diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y index 0a06f21f9e..c44e14ded6 100644 --- a/Zend/zend_ini_parser.y +++ b/Zend/zend_ini_parser.y @@ -55,7 +55,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2) int i_result; int i_op1, i_op2; int str_len; - char str_result[MAX_LENGTH_OF_LONG]; + char str_result[MAX_LENGTH_OF_LONG+1]; i_op1 = atoi(Z_STRVAL_P(op1)); zend_string_free(Z_STR_P(op1)); |