stas Mon Mar 17 23:06:32 2008 UTC
Modified files: (Branch: PHP_5_3)
/php-src/ext/standard formatted_print.c
Log:
fix integer overflow in length calculation
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.82.2.1.2.16.2.2&r2=1.82.2.1.2.16.2.3&diff_format=u
Index: php-src/ext/standard/formatted_print.c
diff -u php-src/ext/standard/formatted_print.c:1.82.2.1.2.16.2.2
php-src/ext/standard/formatted_print.c:1.82.2.1.2.16.2.3
--- php-src/ext/standard/formatted_print.c:1.82.2.1.2.16.2.2 Mon Dec 31
07:17:14 2007
+++ php-src/ext/standard/formatted_print.c Mon Mar 17 23:06:32 2008
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: formatted_print.c,v 1.82.2.1.2.16.2.2 2007/12/31 07:17:14 sebastian
Exp $ */
+/* $Id: formatted_print.c,v 1.82.2.1.2.16.2.3 2008/03/17 23:06:32 stas Exp $ */
#include <math.h> /* modf() */
#include "php.h"
@@ -76,6 +76,7 @@
register int npad;
int req_size;
int copy_len;
+ int m_width;
copy_len = (expprec ? MIN(max_width, len) : len);
npad = min_width - copy_len;
@@ -86,11 +87,19 @@
PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c',
%d)\n",
*buffer, *pos, *size, add, min_width,
padding, alignment));
+ m_width = MAX(min_width, copy_len);
- req_size = *pos + MAX(min_width, copy_len) + 1;
+ if(m_width > INT_MAX - *pos - 1) {
+ zend_error_noreturn(E_ERROR, "Field width %d is too long",
m_width);
+ }
+
+ req_size = *pos + m_width + 1;
if (req_size > *size) {
while (req_size > *size) {
+ if(*size > INT_MAX/2) {
+ zend_error_noreturn(E_ERROR, "Field width %d is
too long", req_size);
+ }
*size <<= 1;
}
PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n",
*size));
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
