iliaa Wed May 30 00:33:14 2007 UTC Modified files: (Branch: PHP_5_2) /php-src NEWS /php-src/ext/standard/tests/strings chunk_split.phpt /php-src/ext/standard string.c Log: Fixed an interger overflow inside chunk_split(), identified by Gerhard Wagner http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.744&r2=1.2027.2.547.2.745&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.744 php-src/NEWS:1.2027.2.547.2.745 --- php-src/NEWS:1.2027.2.547.2.744 Tue May 29 08:44:05 2007 +++ php-src/NEWS Wed May 30 00:33:13 2007 @@ -1,6 +1,8 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? Jun 2007, PHP 5.2.3 +- Fixed an interger overflow inside chunk_split(), identified by Gerhard + Wagner (Ilia) - Fixed bug #41525 (ReflectionParameter::getPosition() not available). (Marcus) - Fixed bug #41511 (Compile failure under IRIX 6.5.30 building md5.c). (Jani) - Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/chunk_split.phpt?r1=1.3&r2=1.3.4.1&diff_format=u Index: php-src/ext/standard/tests/strings/chunk_split.phpt diff -u php-src/ext/standard/tests/strings/chunk_split.phpt:1.3 php-src/ext/standard/tests/strings/chunk_split.phpt:1.3.4.1 --- php-src/ext/standard/tests/strings/chunk_split.phpt:1.3 Sun Apr 3 18:08:40 2005 +++ php-src/ext/standard/tests/strings/chunk_split.phpt Wed May 30 00:33:13 2007 @@ -6,6 +6,12 @@ echo chunk_split('foooooooooooooooo', 5)."\n"; echo chunk_split(str_repeat('X', 2*76))."\n"; echo chunk_split("test", 10, "|end") . "\n"; + +$a=str_repeat("B", 65535); +$b=1; +$c=str_repeat("B", 65535); +var_dump(chunk_split($a,$b,$c)); + ?> --EXPECT-- a-b-c- @@ -18,3 +24,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX test|end +bool(false) http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.57&r2=1.445.2.14.2.58&diff_format=u Index: php-src/ext/standard/string.c diff -u php-src/ext/standard/string.c:1.445.2.14.2.57 php-src/ext/standard/string.c:1.445.2.14.2.58 --- php-src/ext/standard/string.c:1.445.2.14.2.57 Thu May 24 21:29:27 2007 +++ php-src/ext/standard/string.c Wed May 30 00:33:13 2007 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: string.c,v 1.445.2.14.2.57 2007/05/24 21:29:27 rasmus Exp $ */ +/* $Id: string.c,v 1.445.2.14.2.58 2007/05/30 00:33:13 iliaa Exp $ */ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ @@ -1956,11 +1956,18 @@ char *p, *q; int chunks; /* complete chunks! */ int restlen; + int out_len; chunks = srclen / chunklen; restlen = srclen - chunks * chunklen; /* srclen % chunklen */ - dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0); + out_len = (srclen + (chunks + 1) * endlen + 1); + + if (out_len > INT_MAX || out_len <= 0) { + return NULL; + } + + dest = safe_emalloc(out_len, sizeof(char), 0); for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) { memcpy(q, p, chunklen);
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php