fix integer overflow in length calculation

author: Stanislav Malyshev <stas@php.net> 2008-03-17 23:06:32 +0000
committer: Stanislav Malyshev <stas@php.net> 2008-03-17 23:06:32 +0000
commit: 085af567107d0568d38ba8b12dbce19b949c573d (patch)
tree: 6744ae3b5c33235f8f57de5a8e681de28bb0dfe8
parent: 9227974ddb44f367b2ed7b0885f3b39169597ca7 (diff)
download: php-git-085af567107d0568d38ba8b12dbce19b949c573d.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c
index 4c507911bd..2d81fae2a5 100644
--- a/ext/standard/formatted_print.c
+++ b/ext/standard/formatted_print.c
@@ -76,6 +76,7 @@ php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
 	register int npad;
 	int req_size;
 	int copy_len;
+	int m_width;
 
 	copy_len = (expprec ? MIN(max_width, len) : len);
 	npad = min_width - copy_len;
@@ -86,11 +87,19 @@ php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
 	
 	PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n",
 				  *buffer, *pos, *size, add, min_width, padding, alignment));
+	m_width = MAX(min_width, copy_len);
 
-	req_size = *pos + MAX(min_width, copy_len) + 1;
+	if(m_width > INT_MAX - *pos - 1) {
+		zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width);
+	}
+
+	req_size = *pos + m_width + 1;
 
 	if (req_size > *size) {
 		while (req_size > *size) {
+			if(*size > INT_MAX/2) {
+				zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size); 
+			}
 			*size <<= 1;
 		}
 		PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
author	Stanislav Malyshev <stas@php.net>	2008-03-17 23:06:32 +0000
committer	Stanislav Malyshev <stas@php.net>	2008-03-17 23:06:32 +0000
commit	085af567107d0568d38ba8b12dbce19b949c573d (patch)
tree	6744ae3b5c33235f8f57de5a8e681de28bb0dfe8
parent	9227974ddb44f367b2ed7b0885f3b39169597ca7 (diff)
download	php-git-085af567107d0568d38ba8b12dbce19b949c573d.tar.gz