diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-07-19 01:44:14 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-07-19 01:44:14 -0700 |
| commit | 70d6ce336847b9acf2d8069075c14af74eda4c6d (patch) | |
| tree | 3f1a684c7d093328aa74db9d934efff4a763866f /ext/mcrypt/mcrypt.c | |
| parent | 5c90f9b9cdf61ff285aa902cf368ecd184bafd17 (diff) | |
| parent | b00f8f2a5bae651d6375ca34c676963f1f25ee5a (diff) | |
| download | php-git-70d6ce336847b9acf2d8069075c14af74eda4c6d.tar.gz | |
Merge branch 'PHP-7.0'
* PHP-7.0: (27 commits)
fix #72519, possible OOB using imagegif
fix #72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not allow reading past error read
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
update NEWS
Fixed bug #72570 Segmentation fault when binding parameters on a query without placeholders
Fix bug #72562 - destroy var_hash properly
Fix bug #72551 and bug #72552 - check before converting size_t->int
Fix bug #72541 - size_t overflow lead to heap corruption
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
...
Conflicts:
ext/standard/basic_functions.c
Diffstat (limited to 'ext/mcrypt/mcrypt.c')
| -rw-r--r-- | ext/mcrypt/mcrypt.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c index 68528d30f2..cf9c2ccdf1 100644 --- a/ext/mcrypt/mcrypt.c +++ b/ext/mcrypt/mcrypt.c @@ -645,6 +645,10 @@ PHP_FUNCTION(mcrypt_generic) memset(ZSTR_VAL(data_str), 0, data_size); memcpy(ZSTR_VAL(data_str), data, data_len); } else { /* It's not a block algorithm */ + if (data_len > INT_MAX) { + php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX); + RETURN_FALSE; + } data_size = (int)data_len; data_str = zend_string_alloc(data_size, 0); memset(ZSTR_VAL(data_str), 0, data_size); @@ -695,6 +699,10 @@ PHP_FUNCTION(mdecrypt_generic) memset(data_s, 0, data_size); memcpy(data_s, data, data_len); } else { /* It's not a block algorithm */ + if (data_len > INT_MAX) { + php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX); + RETURN_FALSE; + } data_size = (int)data_len; data_s = emalloc(data_size + 1); memset(data_s, 0, data_size); |