diff options
Diffstat (limited to 'ext/standard')
-rw-r--r-- | ext/standard/html.c | 6 | ||||
-rw-r--r-- | ext/standard/math.c | 20 | ||||
-rw-r--r-- | ext/standard/user_filters.c | 8 |
3 files changed, 11 insertions, 23 deletions
diff --git a/ext/standard/html.c b/ext/standard/html.c index 090b4de4f0..e73afec4db 100644 --- a/ext/standard/html.c +++ b/ext/standard/html.c @@ -1269,11 +1269,7 @@ PHPAPI zend_string *php_escape_html_entities_ex(unsigned char *old, size_t oldle if (oldlen < 64) { maxlen = 128; } else { - maxlen = 2 * oldlen; - if (maxlen < oldlen) { - zend_error_noreturn(E_ERROR, "Input string is too long"); - return NULL; - } + maxlen = zend_safe_addmult(oldlen, 2, 0, "html_entities"); } replaced = zend_string_alloc(maxlen, 0); diff --git a/ext/standard/math.c b/ext/standard/math.c index e4b1160b75..6cf3514082 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1151,19 +1151,15 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin /* calculate the length of the return buffer */ if (dp) { - integral = (int)(dp - ZSTR_VAL(tmpbuf)); + integral = (dp - ZSTR_VAL(tmpbuf)); } else { /* no decimal point was found */ - integral = (int)ZSTR_LEN(tmpbuf); + integral = ZSTR_LEN(tmpbuf); } /* allow for thousand separators */ if (thousand_sep) { - if (integral + thousand_sep_len * ((integral-1) / 3) < integral) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } - integral += thousand_sep_len * ((integral-1) / 3); + integral = zend_safe_addmult((integral-1)/3, thousand_sep_len, integral, "number formatting"); } reslen = integral; @@ -1172,11 +1168,7 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin reslen += dec; if (dec_point) { - if (reslen + dec_point_len < dec_point_len) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } - reslen += dec_point_len; + reslen = zend_safe_addmult(reslen, 1, dec_point_len, "number formatting"); } } @@ -1194,8 +1186,8 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin * Take care, as the sprintf implementation may return less places than * we requested due to internal buffer limitations */ if (dec) { - int declen = (int)(dp ? s - dp : 0); - int topad = dec > declen ? dec - declen : 0; + size_t declen = (dp ? s - dp : 0); + size_t topad = dec > declen ? dec - declen : 0; /* pad with '0's */ while (topad--) { diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c index e65148a2df..2da03cd276 100644 --- a/ext/standard/user_filters.c +++ b/ext/standard/user_filters.c @@ -268,7 +268,7 @@ static php_stream_filter *user_filter_factory_create(const char *filtername, zval obj, zfilter; zval func_name; zval retval; - int len; + size_t len; /* some sanity checks */ if (persistent) { @@ -277,7 +277,7 @@ static php_stream_filter *user_filter_factory_create(const char *filtername, return NULL; } - len = (int)strlen(filtername); + len = strlen(filtername); /* determine the classname/class entry */ if (NULL == (fdat = zend_hash_str_find_ptr(BG(user_filter_map), (char*)filtername, len))) { @@ -289,7 +289,7 @@ static php_stream_filter *user_filter_factory_create(const char *filtername, TODO: Allow failed userfilter creations to continue scanning through the list */ if ((period = strrchr(filtername, '.'))) { - char *wildcard = emalloc(len + 3); + char *wildcard = safe_emalloc(len, 1, 3); /* Search for wildcard matches instead */ memcpy(wildcard, filtername, len + 1); /* copy \0 */ @@ -452,7 +452,7 @@ static void php_stream_bucket_attach(int append, INTERNAL_FUNCTION_PARAMETERS) if (!bucket->own_buf) { bucket = php_stream_bucket_make_writeable(bucket); } - if ((int)bucket->buflen != Z_STRLEN_P(pzdata)) { + if (bucket->buflen != Z_STRLEN_P(pzdata)) { bucket->buf = perealloc(bucket->buf, Z_STRLEN_P(pzdata), bucket->is_persistent); bucket->buflen = Z_STRLEN_P(pzdata); } |