iliaa Wed May 30 00:33:14 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src NEWS
/php-src/ext/standard/tests/strings chunk_split.phpt
/php-src/ext/standard string.c
Log:
Fixed an interger overflow inside chunk_split(), identified by Gerhard
Wagner
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.744&r2=1.2027.2.547.2.745&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.744 php-src/NEWS:1.2027.2.547.2.745
--- php-src/NEWS:1.2027.2.547.2.744 Tue May 29 08:44:05 2007
+++ php-src/NEWS Wed May 30 00:33:13 2007
@@ -1,6 +1,8 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Jun 2007, PHP 5.2.3
+- Fixed an interger overflow inside chunk_split(), identified by Gerhard
+ Wagner (Ilia)
- Fixed bug #41525 (ReflectionParameter::getPosition() not available). (Marcus)
- Fixed bug #41511 (Compile failure under IRIX 6.5.30 building md5.c). (Jani)
- Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/chunk_split.phpt?r1=1.3&r2=1.3.4.1&diff_format=u
Index: php-src/ext/standard/tests/strings/chunk_split.phpt
diff -u php-src/ext/standard/tests/strings/chunk_split.phpt:1.3
php-src/ext/standard/tests/strings/chunk_split.phpt:1.3.4.1
--- php-src/ext/standard/tests/strings/chunk_split.phpt:1.3 Sun Apr 3
18:08:40 2005
+++ php-src/ext/standard/tests/strings/chunk_split.phpt Wed May 30 00:33:13 2007
@@ -6,6 +6,12 @@
echo chunk_split('foooooooooooooooo', 5)."\n";
echo chunk_split(str_repeat('X', 2*76))."\n";
echo chunk_split("test", 10, "|end") . "\n";
+
+$a=str_repeat("B", 65535);
+$b=1;
+$c=str_repeat("B", 65535);
+var_dump(chunk_split($a,$b,$c));
+
?>
--EXPECT--
a-b-c-
@@ -18,3 +24,4 @@
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
test|end
+bool(false)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.57&r2=1.445.2.14.2.58&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.445.2.14.2.57
php-src/ext/standard/string.c:1.445.2.14.2.58
--- php-src/ext/standard/string.c:1.445.2.14.2.57 Thu May 24 21:29:27 2007
+++ php-src/ext/standard/string.c Wed May 30 00:33:13 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: string.c,v 1.445.2.14.2.57 2007/05/24 21:29:27 rasmus Exp $ */
+/* $Id: string.c,v 1.445.2.14.2.58 2007/05/30 00:33:13 iliaa Exp $ */
/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
@@ -1956,11 +1956,18 @@
char *p, *q;
int chunks; /* complete chunks! */
int restlen;
+ int out_len;
chunks = srclen / chunklen;
restlen = srclen - chunks * chunklen; /* srclen % chunklen */
- dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char),
0);
+ out_len = (srclen + (chunks + 1) * endlen + 1);
+
+ if (out_len > INT_MAX || out_len <= 0) {
+ return NULL;
+ }
+
+ dest = safe_emalloc(out_len, sizeof(char), 0);
for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
memcpy(q, p, chunklen);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
