diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-08-11 23:36:25 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-08-16 22:55:41 -0700 |
| commit | 1cd6bc64637353536032c53e0b6770233f8d03ca (patch) | |
| tree | 0262aea497dc5adb3fef2806f362b7ddb7d47ba9 | |
| parent | 5a34bd6d1e6b4d31221c50bcf477c9508553a646 (diff) | |
| download | php-git-1cd6bc64637353536032c53e0b6770233f8d03ca.tar.gz | |
Fix for bug #72807 - do not produce strings with negative length
| -rw-r--r-- | Zend/zend_API.h | 7 | ||||
| -rw-r--r-- | ext/curl/interface.c | 4 |
2 files changed, 9 insertions, 2 deletions
diff --git a/Zend/zend_API.h b/Zend/zend_API.h index a56075e177..e17be4ce68 100644 --- a/Zend/zend_API.h +++ b/Zend/zend_API.h @@ -447,7 +447,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC) #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC) #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC) -#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) +#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC); @@ -458,7 +458,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache; /** Build zend_call_info/cache from a zval* * - * Caller is responsible to provide a return value, otherwise the we will crash. + * Caller is responsible to provide a return value, otherwise the we will crash. * fci->retval_ptr_ptr = NULL; * In order to pass parameters the following members need to be set: * fci->param_count = 0; @@ -578,6 +578,9 @@ END_EXTERN_C() const char *__s=(s); \ zval *__z = (z); \ Z_STRLEN_P(__z) = strlen(__s); \ + if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \ + zend_error(E_ERROR, "String size overflow"); \ + } \ Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\ Z_TYPE_P(__z) = IS_STRING; \ } while (0) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index c7112a091a..062f9969ae 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -3478,6 +3478,10 @@ PHP_FUNCTION(curl_escape) ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl); if ((res = curl_easy_escape(ch->cp, str, str_len))) { + if (strlen(res) > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX); + RETURN_FALSE; + } RETVAL_STRING(res, 1); curl_free(res); } else { |