diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-02 11:18:58 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-02 11:19:15 +0100 |
commit | 3d81c548796b549195be6f8d1e213dcd42802e09 (patch) | |
tree | 512d871a45e3a979b42a9ebe8ed9f3457ab1c392 | |
parent | 1979c5d16fa1e664b7f0422e001bb5ebe22ddd4c (diff) | |
parent | db420cb6a141876b2f7d101051fb01934a28071a (diff) | |
download | php-git-3d81c548796b549195be6f8d1e213dcd42802e09.tar.gz |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Fix #78833: Integer overflow in pack causes out-of-bound access
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/standard/pack.c | 5 | ||||
-rw-r--r-- | ext/standard/tests/strings/bug78833.phpt | 9 |
3 files changed, 15 insertions, 1 deletions
@@ -26,6 +26,8 @@ PHP NEWS . Fixed bug #78759 (array_search in $GLOBALS). (Nikita) . Fixed bug #77638 (var_export'ing certain class instances segfaults). (cmb) . Fixed bug #78840 (imploding $GLOBALS crashes). (cmb) + . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access). + (cmb) 21 Nov 2019, PHP 7.3.12 diff --git a/ext/standard/pack.c b/ext/standard/pack.c index c923305973..580bab5a76 100644 --- a/ext/standard/pack.c +++ b/ext/standard/pack.c @@ -342,10 +342,13 @@ PHP_FUNCTION(pack) if (arg < 0) { arg = num_args - currentarg; } - + if (currentarg > INT_MAX - arg) { + goto too_few_args; + } currentarg += arg; if (currentarg > num_args) { +too_few_args: efree(formatcodes); efree(formatargs); php_error_docref(NULL, E_WARNING, "Type %c: too few arguments", code); diff --git a/ext/standard/tests/strings/bug78833.phpt b/ext/standard/tests/strings/bug78833.phpt new file mode 100644 index 0000000000..763b6ec4ea --- /dev/null +++ b/ext/standard/tests/strings/bug78833.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #78833 (Integer overflow in pack causes out-of-bound access) +--FILE-- +<?php +var_dump(pack("E2E2147483647H*", 0x0, 0x0, 0x0)); +?> +--EXPECTF-- +Warning: pack(): Type E: too few arguments in %s on line %d +bool(false) |