stas Mon Mar 17 23:07:55 2008 UTC
Modified files:
/php-src/ext/standard formatted_print.c
Log:
fix integer overflow in lenght calculation
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/formatted_print.c?r1=1.104&r2=1.105&diff_format=u
Index: php-src/ext/standard/formatted_print.c
diff -u php-src/ext/standard/formatted_print.c:1.104
php-src/ext/standard/formatted_print.c:1.105
--- php-src/ext/standard/formatted_print.c:1.104 Mon Dec 31 07:12:15 2007
+++ php-src/ext/standard/formatted_print.c Mon Mar 17 23:07:55 2008
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: formatted_print.c,v 1.104 2007/12/31 07:12:15 sebastian Exp $ */
+/* $Id: formatted_print.c,v 1.105 2008/03/17 23:07:55 stas Exp $ */
#include <math.h> /* modf() */
#include "php.h"
@@ -94,6 +94,7 @@
register int npad;
int req_size;
int copy_len;
+ int m_width;
copy_len = (expprec ? MIN(max_width, len) : len);
npad = min_width - copy_len;
@@ -104,11 +105,19 @@
PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c',
%d)\n",
*buffer, *pos, *size, add, min_width,
padding, alignment));
+ m_width = MAX(min_width, copy_len);
- req_size = *pos + MAX(min_width, copy_len) + 1;
+ if(m_width > INT_MAX - *pos - 1) {
+ zend_error_noreturn(E_ERROR, "Field width %d is too long",
m_width);
+ }
+
+ req_size = *pos + m_width + 1;
if (req_size > *size) {
while (req_size > *size) {
+ if(*size > INT_MAX/2) {
+ zend_error_noreturn(E_ERROR, "Field width %d is
too long", req_size);
+ }
*size <<= 1;
}
PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n",
*size));
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
