diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-11-19 14:22:26 +0100 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-02 11:18:19 +0100 |
| commit | db420cb6a141876b2f7d101051fb01934a28071a (patch) | |
| tree | 60ef0becb9df91f5321ca18fc622cbf58a9283ad | |
| parent | c7141412ce4fba14dc33a8182cab7d84658ca613 (diff) | |
| download | php-git-db420cb6a141876b2f7d101051fb01934a28071a.tar.gz | |
Fix #78833: Integer overflow in pack causes out-of-bound access
We check for potential signed integer overflow, and bail out
gracefully, in that case.
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/standard/pack.c | 5 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug78833.phpt | 9 |
3 files changed, 15 insertions, 1 deletions
@@ -14,6 +14,8 @@ PHP NEWS - Standard: . Fixed bug #78759 (array_search in $GLOBALS). (Nikita) + . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access). + (cmb) 21 Nov 2019, PHP 7.2.25 diff --git a/ext/standard/pack.c b/ext/standard/pack.c index 7d154841ab..b21edc4a84 100644 --- a/ext/standard/pack.c +++ b/ext/standard/pack.c @@ -343,10 +343,13 @@ PHP_FUNCTION(pack) if (arg < 0) { arg = num_args - currentarg; } - + if (currentarg > INT_MAX - arg) { + goto too_few_args; + } currentarg += arg; if (currentarg > num_args) { +too_few_args: efree(formatcodes); efree(formatargs); php_error_docref(NULL, E_WARNING, "Type %c: too few arguments", code); diff --git a/ext/standard/tests/strings/bug78833.phpt b/ext/standard/tests/strings/bug78833.phpt new file mode 100644 index 0000000000..763b6ec4ea --- /dev/null +++ b/ext/standard/tests/strings/bug78833.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #78833 (Integer overflow in pack causes out-of-bound access) +--FILE-- +<?php +var_dump(pack("E2E2147483647H*", 0x0, 0x0, 0x0)); +?> +--EXPECTF-- +Warning: pack(): Type E: too few arguments in %s on line %d +bool(false) |