diff options
author | Stanislav Malyshev <stas@php.net> | 2016-08-15 23:43:59 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-08-16 22:55:42 -0700 |
commit | 5f91f692c354e45b9b46ba672f4182ff478bd1a3 (patch) | |
tree | e59189a6d3c60df1f932eee12055be2a1180f004 /ext/ereg | |
parent | cfdeedd98558a7f946ed79f7100812dc2a43abfe (diff) | |
download | php-git-5f91f692c354e45b9b46ba672f4182ff478bd1a3.tar.gz |
Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase
Diffstat (limited to 'ext/ereg')
-rw-r--r-- | ext/ereg/ereg.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c index 5d38d04375..8eb833ac87 100644 --- a/ext/ereg/ereg.c +++ b/ext/ereg/ereg.c @@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase) for (i = j = 0; i < string_len; i++) { c = (unsigned char) string[i]; + if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); + efree(tmp); + RETURN_FALSE; + } if (isalpha(c)) { tmp[j++] = '['; tmp[j++] = toupper(c); |