stas            Mon Mar 17 23:06:32 2008 UTC

  Modified files:              (Branch: PHP_5_3)
    /php-src/ext/standard       formatted_print.c 
  Log:
  fix integer overflow in length calculation
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.82.2.1.2.16.2.2&r2=1.82.2.1.2.16.2.3&diff_format=u
Index: php-src/ext/standard/formatted_print.c
diff -u php-src/ext/standard/formatted_print.c:1.82.2.1.2.16.2.2 
php-src/ext/standard/formatted_print.c:1.82.2.1.2.16.2.3
--- php-src/ext/standard/formatted_print.c:1.82.2.1.2.16.2.2    Mon Dec 31 
07:17:14 2007
+++ php-src/ext/standard/formatted_print.c      Mon Mar 17 23:06:32 2008
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: formatted_print.c,v 1.82.2.1.2.16.2.2 2007/12/31 07:17:14 sebastian 
Exp $ */
+/* $Id: formatted_print.c,v 1.82.2.1.2.16.2.3 2008/03/17 23:06:32 stas Exp $ */
 
 #include <math.h>                              /* modf() */
 #include "php.h"
@@ -76,6 +76,7 @@
        register int npad;
        int req_size;
        int copy_len;
+       int m_width;
 
        copy_len = (expprec ? MIN(max_width, len) : len);
        npad = min_width - copy_len;
@@ -86,11 +87,19 @@
        
        PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', 
%d)\n",
                                  *buffer, *pos, *size, add, min_width, 
padding, alignment));
+       m_width = MAX(min_width, copy_len);
 
-       req_size = *pos + MAX(min_width, copy_len) + 1;
+       if(m_width > INT_MAX - *pos - 1) {
+               zend_error_noreturn(E_ERROR, "Field width %d is too long", 
m_width);
+       }
+
+       req_size = *pos + m_width + 1;
 
        if (req_size > *size) {
                while (req_size > *size) {
+                       if(*size > INT_MAX/2) {
+                               zend_error_noreturn(E_ERROR, "Field width %d is 
too long", req_size); 
+                       }
                        *size <<= 1;
                }
                PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", 
*size));



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to