diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-07-19 01:35:58 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-07-19 01:39:28 -0700 |
| commit | b00f8f2a5bae651d6375ca34c676963f1f25ee5a (patch) | |
| tree | aeffcdefca1269348c8b42e200b380044154ecad /ext/xmlrpc | |
| parent | e9a58bee24a4004e50a59d0d01927e6632d6da27 (diff) | |
| parent | 4d0565b5bad444b0652379668c5116b74ee13747 (diff) | |
| download | php-git-b00f8f2a5bae651d6375ca34c676963f1f25ee5a.tar.gz | |
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6:
fix #72519, possible OOB using imagegif
fix #72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
5.6.24RC1
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Conflicts:
Zend/zend_virtual_cwd.c
ext/bz2/bz2.c
ext/exif/exif.c
ext/session/session.c
ext/snmp/snmp.c
ext/standard/basic_functions.c
main/SAPI.c
main/php_variables.c
Diffstat (limited to 'ext/xmlrpc')
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/simplestring.c | 24 | ||||
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/simplestring.h | 2 |
2 files changed, 21 insertions, 5 deletions
diff --git a/ext/xmlrpc/libxmlrpc/simplestring.c b/ext/xmlrpc/libxmlrpc/simplestring.c index 026567e5f5..c88754fb9a 100644 --- a/ext/xmlrpc/libxmlrpc/simplestring.c +++ b/ext/xmlrpc/libxmlrpc/simplestring.c @@ -172,6 +172,9 @@ void simplestring_free(simplestring* string) { } /******/ +#ifndef SIZE_MAX +#define SIZE_MAX ((size_t)-1) +#endif /****f* FUNC/simplestring_addn * NAME * simplestring_addn @@ -190,18 +193,31 @@ void simplestring_free(simplestring* string) { * simplestring_add () * SOURCE */ -void simplestring_addn(simplestring* target, const char* source, int add_len) { +void simplestring_addn(simplestring* target, const char* source, size_t add_len) { + size_t newsize = target->size, incr = 0; if(target && source) { if(!target->str) { simplestring_init_str(target); } + + if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) { + /* check for overflows, if there's a potential overflow do nothing */ + return; + } + if(target->len + add_len + 1 > target->size) { /* newsize is current length + new length */ - int newsize = target->len + add_len + 1; - int incr = target->size * 2; + newsize = target->len + add_len + 1; + incr = target->size * 2; /* align to SIMPLESTRING_INCR increments */ - newsize = newsize - (newsize % incr) + incr; + if (incr) { + newsize = newsize - (newsize % incr) + incr; + } + if(newsize < (target->len + add_len + 1)) { + /* some kind of overflow happened */ + return; + } target->str = (char*)realloc(target->str, newsize); target->size = target->str ? newsize : 0; diff --git a/ext/xmlrpc/libxmlrpc/simplestring.h b/ext/xmlrpc/libxmlrpc/simplestring.h index 59186a7764..b46b0d779a 100644 --- a/ext/xmlrpc/libxmlrpc/simplestring.h +++ b/ext/xmlrpc/libxmlrpc/simplestring.h @@ -63,7 +63,7 @@ void simplestring_init(simplestring* string); void simplestring_clear(simplestring* string); void simplestring_free(simplestring* string); void simplestring_add(simplestring* string, const char* add); -void simplestring_addn(simplestring* string, const char* add, int add_len); +void simplestring_addn(simplestring* string, const char* add, size_t add_len); #ifdef __cplusplus } |