strings chunk_split.phpt

Ilia Alshanetsky Sun, 03 Jun 2007 11:47:24 -0700

iliaa           Sun Jun  3 18:47:11 2007 UTC

  Modified files:              (Branch: PHP_5_2)
    /php-src    NEWS 
    /php-src/ext/standard       string.c 
    /php-src/ext/standard/tests/strings chunk_split.phpt 
  Log:
  Corrected fix for CVE-2007-2872
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.751&r2=1.2027.2.547.2.752&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.751 php-src/NEWS:1.2027.2.547.2.752
--- php-src/NEWS:1.2027.2.547.2.751     Sun Jun  3 17:46:17 2007
+++ php-src/NEWS        Sun Jun  3 18:47:10 2007
@@ -2,6 +2,7 @@
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2007, PHP 5.2.4
 - Improved fix for MOPB-02-2007. (Ilia)
+- Corrected fix for CVE-2007-2872. (Ilia)
 - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION
   GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING (Pierre)
 - Fixed bug #41518 (file_exists() warns of open_basedir restriction on 
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14.2.58&r2=1.445.2.14.2.59&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.445.2.14.2.58 
php-src/ext/standard/string.c:1.445.2.14.2.59
--- php-src/ext/standard/string.c:1.445.2.14.2.58       Wed May 30 00:33:13 2007
+++ php-src/ext/standard/string.c       Sun Jun  3 18:47:10 2007
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.445.2.14.2.58 2007/05/30 00:33:13 iliaa Exp $ */
+/* $Id: string.c,v 1.445.2.14.2.59 2007/06/03 18:47:10 iliaa Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -1956,18 +1956,20 @@
        char *p, *q;
        int chunks; /* complete chunks! */
        int restlen;
-       int out_len; 
+       float out_len; 
 
        chunks = srclen / chunklen;
        restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
-       out_len = (srclen + (chunks + 1) * endlen + 1);
+       out_len = chunks + 1;
+       out_len *= endlen;
+       out_len += srclen + 1;
 
        if (out_len > INT_MAX || out_len <= 0) {
                return NULL;
        }
 
-       dest = safe_emalloc(out_len, sizeof(char), 0);
+       dest = safe_emalloc((int)out_len, sizeof(char), 0);
 
        for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
                memcpy(q, p, chunklen);
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/chunk_split.phpt?r1=1.3.4.1&r2=1.3.4.2&diff_format=u
Index: php-src/ext/standard/tests/strings/chunk_split.phpt
diff -u php-src/ext/standard/tests/strings/chunk_split.phpt:1.3.4.1 
php-src/ext/standard/tests/strings/chunk_split.phpt:1.3.4.2
--- php-src/ext/standard/tests/strings/chunk_split.phpt:1.3.4.1 Wed May 30 
00:33:13 2007
+++ php-src/ext/standard/tests/strings/chunk_split.phpt Sun Jun  3 18:47:10 2007
@@ -12,6 +12,12 @@
 $c=str_repeat("B", 65535);
 var_dump(chunk_split($a,$b,$c));
 
+$a=str_repeat("B", 65536);
+$b=1;
+$c=str_repeat("B", 65536);
+var_dump(chunk_split($a,$b,$c));
+
+
 ?>
 --EXPECT--
 a-b-c-
@@ -25,3 +31,4 @@
 
 test|end
 bool(false)
+bool(false)


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/standard string.c /ext/standard/tests/strings chunk_split.phpt

Reply via email to