diff options
author | Ilia Alshanetsky <iliaa@php.net> | 2007-05-30 00:33:13 +0000 |
---|---|---|
committer | Ilia Alshanetsky <iliaa@php.net> | 2007-05-30 00:33:13 +0000 |
commit | 9282d4add60b9aae26182f8aff1e48d4dd3dfc99 (patch) | |
tree | cef206b36d4285463c23dceabe795aa8609fa48e /ext | |
parent | f7ec7197f7d103e30a3b25a5cfe97471d0c92252 (diff) | |
download | php-git-9282d4add60b9aae26182f8aff1e48d4dd3dfc99.tar.gz |
Fixed an interger overflow inside chunk_split(), identified by Gerhard
Wagner
Diffstat (limited to 'ext')
-rw-r--r-- | ext/standard/string.c | 9 | ||||
-rw-r--r-- | ext/standard/tests/strings/chunk_split.phpt | 7 |
2 files changed, 15 insertions, 1 deletions
diff --git a/ext/standard/string.c b/ext/standard/string.c index 698cbd8ea9..7c4b07efc1 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -1956,11 +1956,18 @@ static char *php_chunk_split(char *src, int srclen, char *end, int endlen, int c char *p, *q; int chunks; /* complete chunks! */ int restlen; + int out_len; chunks = srclen / chunklen; restlen = srclen - chunks * chunklen; /* srclen % chunklen */ - dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0); + out_len = (srclen + (chunks + 1) * endlen + 1); + + if (out_len > INT_MAX || out_len <= 0) { + return NULL; + } + + dest = safe_emalloc(out_len, sizeof(char), 0); for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) { memcpy(q, p, chunklen); diff --git a/ext/standard/tests/strings/chunk_split.phpt b/ext/standard/tests/strings/chunk_split.phpt index b6bed3ab48..cfb817def1 100644 --- a/ext/standard/tests/strings/chunk_split.phpt +++ b/ext/standard/tests/strings/chunk_split.phpt @@ -6,6 +6,12 @@ echo chunk_split('abc', 1, '-')."\n"; echo chunk_split('foooooooooooooooo', 5)."\n"; echo chunk_split(str_repeat('X', 2*76))."\n"; echo chunk_split("test", 10, "|end") . "\n"; + +$a=str_repeat("B", 65535); +$b=1; +$c=str_repeat("B", 65535); +var_dump(chunk_split($a,$b,$c)); + ?> --EXPECT-- a-b-c- @@ -18,3 +24,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX test|end +bool(false) |