diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-10-11 16:26:35 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-10-11 16:26:35 -0700 |
| commit | 689a9b8def07875641b3132a82c701fb7acb676c (patch) | |
| tree | 22120cf5e4c46ede692518256e8019178e90c1a8 /ext/pcre/php_pcre.c | |
| parent | 4165d976066129000d947ffa3be73f91e9867635 (diff) | |
| parent | 082d1f237531ab71c3050dfb9f598344f654d9e1 (diff) | |
| download | php-git-689a9b8def07875641b3132a82c701fb7acb676c.tar.gz | |
Merge branch 'PHP-5.6.27' into PHP-5.6
* PHP-5.6.27:
Fix tests
fix tsrm
Fix bug #73284 - heap overflow in php_ereg_replace function
Fix bug #73276 - crash in openssl_random_pseudo_bytes function
Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
fix bug #73275 - crash in openssl_encrypt function
Fix for #73240 - Write out of bounds at number_format
Bug #73218: add mitigation for ICU int overflow
Add more locale length checks, due to ICU bugs.
Fix bug #73208 - another missing length check
Fix bug #73190: memcpy negative parameter _bc_new_num_ex
Fix bug #73189 - Memcpy negative size parameter php_resolve_path
Fixed bug #73174 - heap overflow in php_pcre_replace_impl
Fix bug #73150: missing NULL check in dom_document_save_html
Fix bug #73147: Use After Free in PHP7 unserialize()
Fix bug #73082
Fix bug #73073 - CachingIterator null dereference when convert to string
Diffstat (limited to 'ext/pcre/php_pcre.c')
| -rw-r--r-- | ext/pcre/php_pcre.c | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 7589a7803c..2a8ff199b8 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -1075,8 +1075,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub char **subpat_names; /* Array for named subpatterns */ int num_subpats; /* Number of captured subpatterns */ int size_offsets; /* Size of the offsets array */ - int new_len; /* Length of needed storage */ - int alloc_len; /* Actual allocated length */ + size_t new_len; /* Length of needed storage */ + size_t alloc_len; /* Actual allocated length */ int eval_result_len=0; /* Length of the eval'ed or function-returned string */ int match_len; /* Length of the current match */ @@ -1146,8 +1146,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0); - alloc_len = 2 * subject_len + 1; - result = safe_emalloc(alloc_len, sizeof(char), 0); + result = safe_emalloc(subject_len, 2*sizeof(char), 1); + alloc_len = 2 * (size_t)subject_len + 1; /* Initialize */ match = NULL; @@ -1212,8 +1212,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub } if (new_len + 1 > alloc_len) { - alloc_len = 1 + alloc_len + 2 * new_len; - new_buf = emalloc(alloc_len); + new_buf = safe_emalloc(2, new_len + 1, alloc_len); + alloc_len = 1 + alloc_len + 2 * (size_t)new_len; memcpy(new_buf, result, *result_len); efree(result); result = new_buf; @@ -1276,8 +1276,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub } else { new_len = *result_len + subject_len - start_offset; if (new_len + 1 > alloc_len) { - alloc_len = new_len + 1; /* now we know exactly how long it is */ - new_buf = safe_emalloc(alloc_len, sizeof(char), 0); + new_buf = safe_emalloc(new_len, sizeof(char), 1); + alloc_len = (size_t)new_len + 1; /* now we know exactly how long it is */ memcpy(new_buf, result, *result_len); efree(result); result = new_buf; @@ -1308,6 +1308,12 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub efree(offsets); efree(subpat_names); + if(result && (size_t)(*result_len) > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Result is too big, max is %d", INT_MAX); + efree(result); + result = NULL; + } + return result; } /* }}} */ |