From db420cb6a141876b2f7d101051fb01934a28071a Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 19 Nov 2019 14:22:26 +0100 Subject: Fix #78833: Integer overflow in pack causes out-of-bound access We check for potential signed integer overflow, and bail out gracefully, in that case. --- NEWS | 2 ++ ext/standard/pack.c | 5 ++++- ext/standard/tests/strings/bug78833.phpt | 9 +++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/strings/bug78833.phpt diff --git a/NEWS b/NEWS index c3d4783ebe..8bb7aa5b1c 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,8 @@ PHP NEWS - Standard: . Fixed bug #78759 (array_search in $GLOBALS). (Nikita) + . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access). + (cmb) 21 Nov 2019, PHP 7.2.25 diff --git a/ext/standard/pack.c b/ext/standard/pack.c index 7d154841ab..b21edc4a84 100644 --- a/ext/standard/pack.c +++ b/ext/standard/pack.c @@ -343,10 +343,13 @@ PHP_FUNCTION(pack) if (arg < 0) { arg = num_args - currentarg; } - + if (currentarg > INT_MAX - arg) { + goto too_few_args; + } currentarg += arg; if (currentarg > num_args) { +too_few_args: efree(formatcodes); efree(formatargs); php_error_docref(NULL, E_WARNING, "Type %c: too few arguments", code); diff --git a/ext/standard/tests/strings/bug78833.phpt b/ext/standard/tests/strings/bug78833.phpt new file mode 100644 index 0000000000..763b6ec4ea --- /dev/null +++ b/ext/standard/tests/strings/bug78833.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #78833 (Integer overflow in pack causes out-of-bound access) +--FILE-- + +--EXPECTF-- +Warning: pack(): Type E: too few arguments in %s on line %d +bool(false) -- cgit v1.2.1