Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase

author: Stanislav Malyshev <stas@php.net> 2016-08-15 23:43:59 -0700
committer: Ferenc Kovacs <tyra3l@gmail.com> 2016-08-18 12:53:18 +0200
commit: 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a (patch)
tree: ab4782a4388147bc8581e9e17c1dc9573194b90c
parent: 69236ea9793b76b778c6cd64748cfee817521118 (diff)
download: php-git-6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 5d38d04375..8eb833ac87 100644
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
 	
 	for (i = j = 0; i < string_len; i++) {
 		c = (unsigned char) string[i];
+		if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
+			efree(tmp);
+			RETURN_FALSE;
+		}
 		if (isalpha(c)) {
 			tmp[j++] = '[';
 			tmp[j++] = toupper(c);
author	Stanislav Malyshev <stas@php.net>	2016-08-15 23:43:59 -0700
committer	Ferenc Kovacs <tyra3l@gmail.com>	2016-08-18 12:53:18 +0200
commit	6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a (patch)
tree	ab4782a4388147bc8581e9e17c1dc9573194b90c
parent	69236ea9793b76b778c6cd64748cfee817521118 (diff)
download	php-git-6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a.tar.gz