summaryrefslogtreecommitdiff
path: root/ext/xmlrpc
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2016-11-03 20:36:52 -0700
committerStanislav Malyshev <stas@php.net>2016-11-03 20:36:52 -0700
commitea9fac94bbae150a81fde0e6542e6b45965772cd (patch)
tree124f543734d75dd5aecd9743dbe4031b4bd244a9 /ext/xmlrpc
parent6558559bcc1cd24e3639e4a215e9d546ee05fc48 (diff)
downloadphp-git-ea9fac94bbae150a81fde0e6542e6b45965772cd.tar.gz
More string length checks & fixes
Diffstat (limited to 'ext/xmlrpc')
-rw-r--r--ext/xmlrpc/libxmlrpc/base64.c22
-rw-r--r--ext/xmlrpc/libxmlrpc/simplestring.c3
2 files changed, 15 insertions, 10 deletions
diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
index d020bd6646..5ebdf31f7a 100644
--- a/ext/xmlrpc/libxmlrpc/base64.c
+++ b/ext/xmlrpc/libxmlrpc/base64.c
@@ -15,6 +15,7 @@ static const char rcsid[] = "#(@) $Id$";
/* ENCODE -- Encode binary file into base64. */
#include <stdlib.h>
#include <ctype.h>
+#include <limits.h>
#include "base64.h"
@@ -31,6 +32,9 @@ void buffer_new(struct buffer_st *b)
void buffer_add(struct buffer_st *b, char c)
{
+ if ((INT_MAX - b->length) <= 512) {
+ return;
+ }
*(b->ptr++) = c;
b->offset++;
if (b->offset == b->length) {
@@ -54,13 +58,13 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
int i, hiteof = 0;
int offset = 0;
int olen;
-
+
olen = 0;
-
+
buffer_new(b);
-
+
/* Fill dtable with character encodings. */
-
+
for (i = 0; i < 26; i++) {
dtable[i] = 'A' + i;
dtable[26 + i] = 'a' + i;
@@ -70,16 +74,16 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
}
dtable[62] = '+';
dtable[63] = '/';
-
+
while (!hiteof) {
unsigned char igroup[3], ogroup[4];
int c, n;
-
+
igroup[0] = igroup[1] = igroup[2] = 0;
for (n = 0; n < 3; n++) {
c = *(source++);
offset++;
- if (offset > length) {
+ if (offset > length || offset <= 0) {
hiteof = 1;
break;
}
@@ -90,11 +94,11 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
ogroup[1] = dtable[((igroup[0] & 3) << 4) | (igroup[1] >> 4)];
ogroup[2] = dtable[((igroup[1] & 0xF) << 2) | (igroup[2] >> 6)];
ogroup[3] = dtable[igroup[2] & 0x3F];
-
+
/* Replace characters in output stream with "=" pad
characters if fewer than three characters were
read from the end of the input stream. */
-
+
if (n < 3) {
ogroup[3] = '=';
if (n < 2) {
diff --git a/ext/xmlrpc/libxmlrpc/simplestring.c b/ext/xmlrpc/libxmlrpc/simplestring.c
index c88754fb9a..98b5c81e42 100644
--- a/ext/xmlrpc/libxmlrpc/simplestring.c
+++ b/ext/xmlrpc/libxmlrpc/simplestring.c
@@ -80,6 +80,7 @@ static const char rcsid[] = "#(@) $Id$";
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "simplestring.h"
#define my_free(thing) if(thing) {free(thing); thing = 0;}
@@ -200,7 +201,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len)
simplestring_init_str(target);
}
- if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+ if((INT_MAX - add_len) < target->len || (INT_MAX - add_len - 1) < target->len) {
/* check for overflows, if there's a potential overflow do nothing */
return;
}
View Lorry Controller Status