add range checks to ext/tidy

author: Anatol Belski <ab@php.net> 2015-08-25 20:32:43 +0200
committer: Anatol Belski <ab@php.net> 2015-08-26 16:39:51 +0200
commit: 871acceace023130b6c650473d4f4425825c1d85 (patch)
tree: 02ad995410e1959a1ee6322bd20c281fdc48c201
parent: 201afce875b90d3675ff2eedc8b8d74f1e62b2d1 (diff)
download: php-git-871acceace023130b6c650473d4f4425825c1d85.tar.gz
1 files changed, 31 insertions, 6 deletions
diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
index cdda540586..b5a78ee53b 100644
--- a/ext/tidy/tidy.c
+++ b/ext/tidy/tidy.c
@@ -1003,7 +1003,7 @@ static int _php_tidy_apply_config_array(TidyDoc doc, HashTable *ht_options)
 	return SUCCESS;
 }
 
-static int php_tidy_parse_string(PHPTidyObj *obj, char *string, int len, char *enc)
+static int php_tidy_parse_string(PHPTidyObj *obj, char *string, uint len, char *enc)
 {
 	TidyBuffer buf;
 
@@ -1195,12 +1195,17 @@ static PHP_FUNCTION(tidy_parse_string)
 		RETURN_FALSE;
 	}
 
+	if (ZEND_SIZE_T_UINT_OVFL(ZSTR_LEN(input))) {
+		php_error_docref(NULL, E_WARNING, "Input string is too long");
+		RETURN_FALSE;
+	}
+
 	tidy_instanciate(tidy_ce_doc, return_value);
 	obj = Z_TIDY_P(return_value);
 
 	TIDY_APPLY_CONFIG_ZVAL(obj->ptdoc->doc, options);
 
-	if (php_tidy_parse_string(obj, ZSTR_VAL(input), ZSTR_LEN(input), enc) == FAILURE) {
+	if (php_tidy_parse_string(obj, ZSTR_VAL(input), (uint)ZSTR_LEN(input), enc) == FAILURE) {
 		zval_ptr_dtor(return_value);
 		RETURN_FALSE;
 	}
@@ -1261,9 +1266,14 @@ static PHP_FUNCTION(tidy_parse_file)
 		RETURN_FALSE;
 	}
 
+	if (ZEND_SIZE_T_UINT_OVFL(ZSTR_LEN(contents))) {
+		php_error_docref(NULL, E_WARNING, "Input string is too long");
+		RETURN_FALSE;
+	}
+
 	TIDY_APPLY_CONFIG_ZVAL(obj->ptdoc->doc, options);
 
-	if (php_tidy_parse_string(obj, ZSTR_VAL(contents), ZSTR_LEN(contents), enc) == FAILURE) {
+	if (php_tidy_parse_string(obj, ZSTR_VAL(contents), (uint)ZSTR_LEN(contents), enc) == FAILURE) {
 		zval_ptr_dtor(return_value);
 		RETVAL_FALSE;
 	}
@@ -1574,9 +1584,14 @@ static TIDY_DOC_METHOD(__construct)
 			return;
 		}
 
+		if (ZEND_SIZE_T_UINT_OVFL(ZSTR_LEN(contents))) {
+			php_error_docref(NULL, E_WARNING, "Input string is too long");
+			RETURN_FALSE;
+		}
+
 		TIDY_APPLY_CONFIG_ZVAL(obj->ptdoc->doc, options);
 
-		php_tidy_parse_string(obj, ZSTR_VAL(contents), ZSTR_LEN(contents), enc);
+		php_tidy_parse_string(obj, ZSTR_VAL(contents), (uint)ZSTR_LEN(contents), enc);
 
 		zend_string_release(contents);
 	}
@@ -1605,9 +1620,14 @@ static TIDY_DOC_METHOD(parseFile)
 		RETURN_FALSE;
 	}
 
+	if (ZEND_SIZE_T_UINT_OVFL(ZSTR_LEN(contents))) {
+		php_error_docref(NULL, E_WARNING, "Input string is too long");
+		RETURN_FALSE;
+	}
+
 	TIDY_APPLY_CONFIG_ZVAL(obj->ptdoc->doc, options);
 
-	if (php_tidy_parse_string(obj, ZSTR_VAL(contents), ZSTR_LEN(contents), enc) == FAILURE) {
+	if (php_tidy_parse_string(obj, ZSTR_VAL(contents), (uint)ZSTR_LEN(contents), enc) == FAILURE) {
 		RETVAL_FALSE;
 	} else {
 		RETVAL_TRUE;
@@ -1630,11 +1650,16 @@ static TIDY_DOC_METHOD(parseString)
 		RETURN_FALSE;
 	}
 
+	if (ZEND_SIZE_T_UINT_OVFL(ZSTR_LEN(input))) {
+		php_error_docref(NULL, E_WARNING, "Input string is too long");
+		RETURN_FALSE;
+	}
+
 	obj = Z_TIDY_P(object);
 
 	TIDY_APPLY_CONFIG_ZVAL(obj->ptdoc->doc, options);
 
-	if(php_tidy_parse_string(obj, ZSTR_VAL(input), ZSTR_LEN(input), enc) == SUCCESS) {
+	if(php_tidy_parse_string(obj, ZSTR_VAL(input), (uint)ZSTR_LEN(input), enc) == SUCCESS) {
 		RETURN_TRUE;
 	}
author	Anatol Belski <ab@php.net>	2015-08-25 20:32:43 +0200
committer	Anatol Belski <ab@php.net>	2015-08-26 16:39:51 +0200
commit	871acceace023130b6c650473d4f4425825c1d85 (patch)
tree	02ad995410e1959a1ee6322bd20c281fdc48c201
parent	201afce875b90d3675ff2eedc8b8d74f1e62b2d1 (diff)
download	php-git-871acceace023130b6c650473d4f4425825c1d85.tar.gz