diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-08-16 15:58:05 -0700 |
|---|---|---|
| committer | Ferenc Kovacs <tyra3l@gmail.com> | 2016-08-18 12:53:39 +0200 |
| commit | dc223e524d640167c0f12e942eb52cabd6f89ee4 (patch) | |
| tree | 066745124cf8421a8bfe23239860e0f0f14c2499 | |
| parent | 444314a2919587674c24777e56d29b4040b4fed4 (diff) | |
| download | php-git-dc223e524d640167c0f12e942eb52cabd6f89ee4.tar.gz | |
Fixed bug #72849 - integer overflow in urlencode
| -rw-r--r-- | ext/standard/url.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ext/standard/url.c b/ext/standard/url.c index 4b52000f64..8e471e12d8 100644 --- a/ext/standard/url.c +++ b/ext/standard/url.c @@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length) *to++ = c; } } + + if ((to-start) > INT_MAX) { + /* E_ERROR since most clients won't check for error, and this is rather rare condition */ + php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX); + } + *to = 0; if (new_length) { *new_length = to - start; |