Hi.
Please commit the attached patch, to cover the integer overflow that
can happen: if ((offset + len) > total_len)
Cheers, Mattias.
On Wed, Sep 19, 2007 at 12:30:53AM -0000, Stanislav Malyshev wrote:
> stas Wed Sep 19 00:30:53 2007 UTC
>
> Modified files: (Branch: PHP_5_2)
> /php-src/ext/iconv iconv.c php_iconv.h
> Log:
> limit iconv parameter sizes - workaround for glibc bug
Index: ext/iconv/iconv.c
===================================================================
RCS file: /repository/php-src/ext/iconv/iconv.c,v
retrieving revision 1.124.2.8.2.17
diff -u -r1.124.2.8.2.17 iconv.c
--- ext/iconv/iconv.c 19 Sep 2007 00:30:52 -0000 1.124.2.8.2.17
+++ ext/iconv/iconv.c 19 Sep 2007 09:27:14 -0000
@@ -700,7 +700,7 @@
}
}
- if (offset >= total_len) {
+ if (offset >= total_len || len > total_len) {
return PHP_ICONV_ERR_SUCCESS;
}
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
