diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-05-11 01:10:35 -0700 |
|---|---|---|
| committer | Julien Pauli <jpauli@php.net> | 2015-05-13 11:31:57 +0200 |
| commit | b4161815990a1f2dec8b7ca8c131deadcf32f30c (patch) | |
| tree | 84f26f7c446d567e00bb9765c1308fc926e07cd9 | |
| parent | b91f75914edbe06d68895f4f96d5da6f302ec936 (diff) | |
| download | php-git-b4161815990a1f2dec8b7ca8c131deadcf32f30c.tar.gz | |
Add test for bug #69522
| -rw-r--r-- | ext/standard/pack.c | 6 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug69522.phpt | 11 |
2 files changed, 17 insertions, 0 deletions
diff --git a/ext/standard/pack.c b/ext/standard/pack.c index a874b7ace9..9d362eb69a 100644 --- a/ext/standard/pack.c +++ b/ext/standard/pack.c @@ -654,6 +654,12 @@ PHP_FUNCTION(unpack) break; } + if (size != 0 && size != -1 && size < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type); + zval_dtor(return_value); + RETURN_FALSE; + } + /* Do actual unpacking */ for (i = 0; i != arg; i++ ) { /* Space for name + number, safe as namelen is ensured <= 200 */ diff --git a/ext/standard/tests/strings/bug69522.phpt b/ext/standard/tests/strings/bug69522.phpt new file mode 100644 index 0000000000..fc86d409c6 --- /dev/null +++ b/ext/standard/tests/strings/bug69522.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #69522 (heap buffer overflow in unpack()) +--FILE-- +<?php +$a = pack("AAAAAAAAAAAA", 1,2,3,4,5,6,7,8,9,10,11,12); +$b = unpack('h2147483648', $a); +?> +===DONE=== +--EXPECTF-- +Warning: unpack(): Type h: integer overflow in %s on line %d +===DONE=== |