sesser Sun Nov 28 07:44:42 2004 EDT
Modified files: (Branch: PHP_5_0)
/php-src/ext/standard pack.c
/php-src/main php.h
Log:
MFH
http://cvs.php.net/diff.php/php-src/ext/standard/pack.c?r1=1.52&r2=1.52.2.1&ty=u
Index: php-src/ext/standard/pack.c
diff -u php-src/ext/standard/pack.c:1.52 php-src/ext/standard/pack.c:1.52.2.1
--- php-src/ext/standard/pack.c:1.52 Tue Feb 24 16:49:28 2004
+++ php-src/ext/standard/pack.c Sun Nov 28 07:44:42 2004
@@ -15,7 +15,7 @@
| Author: Chris Schneider <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: pack.c,v 1.52 2004/02/24 21:49:28 gschlossnagle Exp $ */
+/* $Id: pack.c,v 1.52.2.1 2004/11/28 12:44:42 sesser Exp $ */
#include "php.h"
@@ -61,6 +61,13 @@
#include <netinet/in.h>
#endif
+#define INC_OUTPUTPOS(a,b) \
+ if ((a) < 0 || ((INT_MAX - outputpos)/(b)) < (a)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer
overflow in format string", code); \
+ RETURN_FALSE; \
+ } \
+ outputpos += (a)*(b);
+
/* Whether machine is little endian */
char machine_little_endian;
@@ -244,7 +251,7 @@
switch ((int) code) {
case 'h':
case 'H':
- outputpos += (arg + 1) / 2; /* 4
bit per arg */
+ INC_OUTPUTPOS((arg + 1) / 2,1) /* 4 bit per
arg */
break;
case 'a':
@@ -252,34 +259,34 @@
case 'c':
case 'C':
case 'x':
- outputpos += arg; /* 8 bit per
arg */
+ INC_OUTPUTPOS(arg,1) /* 8 bit per
arg */
break;
case 's':
case 'S':
case 'n':
case 'v':
- outputpos += arg * 2; /* 16 bit per arg */
+ INC_OUTPUTPOS(arg,2) /* 16 bit per
arg */
break;
case 'i':
case 'I':
- outputpos += arg * sizeof(int);
+ INC_OUTPUTPOS(arg,sizeof(int))
break;
case 'l':
case 'L':
case 'N':
case 'V':
- outputpos += arg * 4; /* 32 bit per arg */
+ INC_OUTPUTPOS(arg,4) /* 32 bit per
arg */
break;
case 'f':
- outputpos += arg * sizeof(float);
+ INC_OUTPUTPOS(arg,sizeof(float))
break;
case 'd':
- outputpos += arg * sizeof(double);
+ INC_OUTPUTPOS(arg,sizeof(double))
break;
case 'X':
@@ -648,6 +655,11 @@
sprintf(n, "%.*s", namelen, name);
}
+ if (size != 0 && size != -1 && INT_MAX - size + 1 <
inputpos) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Type %c: integer overflow", type);
+ inputpos = 0;
+ }
+
if ((inputpos + size) <= inputlen) {
switch ((int) type) {
case 'a':
@@ -818,6 +830,10 @@
}
inputpos += size;
+ if (inputpos < 0) {
+ php_error_docref(NULL TSRMLS_CC,
E_WARNING, "Type %c: outside of string", type);
+ inputpos = 0;
+ }
} else if (arg < 0) {
/* Reached end of input for '*' repeater */
break;
http://cvs.php.net/diff.php/php-src/main/php.h?r1=1.203.2.3&r2=1.203.2.4&ty=u
Index: php-src/main/php.h
diff -u php-src/main/php.h:1.203.2.3 php-src/main/php.h:1.203.2.4
--- php-src/main/php.h:1.203.2.3 Mon Nov 15 18:14:39 2004
+++ php-src/main/php.h Sun Nov 28 07:44:42 2004
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php.h,v 1.203.2.3 2004/11/15 23:14:39 fmk Exp $ */
+/* $Id: php.h,v 1.203.2.4 2004/11/28 12:44:42 sesser Exp $ */
#ifndef PHP_H
#define PHP_H
@@ -230,6 +230,14 @@
#define LONG_MIN (- LONG_MAX - 1)
#endif
+#ifndef INT_MAX
+#define INT_MAX 2147483647
+#endif
+
+#ifndef INT_MIN
+#define INT_MIN (- INT_MAX - 1)
+#endif
+
#define PHP_GCC_VERSION ZEND_GCC_VERSION
#define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC
#define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
