fix integer overflow in {stream,file}_{get,put}_contents()

author: Michael Wallner <mike@php.net> 2014-07-02 09:53:03 +0200
committer: Michael Wallner <mike@php.net> 2014-07-02 09:53:03 +0200
commit: 34e686c5562bfd289d330f5dae2dafec4e58a20c (patch)
tree: 991f45e28650c31c2055e5ac0c801536f8accf0e /ext/standard/streamsfuncs.c
parent: 899fe3d8af42dc09c3f0ed2915e516c068166a43 (diff)
download: php-git-34e686c5562bfd289d330f5dae2dafec4e58a20c.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c
index bdb05ec9b8..b1b318044e 100644
--- a/ext/standard/streamsfuncs.c
+++ b/ext/standard/streamsfuncs.c
@@ -407,7 +407,7 @@ PHP_FUNCTION(stream_get_contents)
 	zval		*zsrc;
 	long		maxlen		= PHP_STREAM_COPY_ALL,
 				desiredpos	= -1L;
-	int			len;
+	long		len;
 	char		*contents	= NULL;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ll", &zsrc, &maxlen, &desiredpos) == FAILURE) {
@@ -439,6 +439,10 @@ PHP_FUNCTION(stream_get_contents)
 	len = php_stream_copy_to_mem(stream, &contents, maxlen, 0);
 
 	if (contents) {
+		if (len > INT_MAX) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
+			len = INT_MAX;
+		}
 		RETVAL_STRINGL(contents, len, 0);
 	} else {
 		RETVAL_EMPTY_STRING();
author	Michael Wallner <mike@php.net>	2014-07-02 09:53:03 +0200
committer	Michael Wallner <mike@php.net>	2014-07-02 09:53:03 +0200
commit	34e686c5562bfd289d330f5dae2dafec4e58a20c (patch)
tree	991f45e28650c31c2055e5ac0c801536f8accf0e /ext/standard/streamsfuncs.c
parent	899fe3d8af42dc09c3f0ed2915e516c068166a43 (diff)
download	php-git-34e686c5562bfd289d330f5dae2dafec4e58a20c.tar.gz