iliaa                                    Mon, 23 Nov 2009 04:12:36 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=291172

Log:
Extend the previously added large string concatenation validation

Changed paths:
    U   php/php-src/branches/PHP_5_2/Zend/zend_operators.c
    U   php/php-src/branches/PHP_5_3/Zend/zend_operators.c

Modified: php/php-src/branches/PHP_5_2/Zend/zend_operators.c
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_operators.c  2009-11-23 04:11:01 UTC 
(rev 291171)
+++ php/php-src/branches/PHP_5_2/Zend/zend_operators.c  2009-11-23 04:12:36 UTC 
(rev 291172)
@@ -1203,7 +1203,7 @@
        if (result==op1) {      /* special case, perform operations on result */
                uint res_len = op1->value.str.len + op2->value.str.len;

-               if (Z_STRLEN_P(result) < 0) {
+               if (Z_STRLEN_P(result) < 0 || (int) (Z_STRLEN_P(op1) + 
Z_STRLEN_P(op2)) < 0) {
                        efree(Z_STRVAL_P(result));
                        ZVAL_EMPTY_STRING(result);
                        zend_error(E_ERROR, "String size overflow");

Modified: php/php-src/branches/PHP_5_3/Zend/zend_operators.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_operators.c  2009-11-23 04:11:01 UTC 
(rev 291171)
+++ php/php-src/branches/PHP_5_3/Zend/zend_operators.c  2009-11-23 04:12:36 UTC 
(rev 291172)
@@ -1227,7 +1227,7 @@
        if (result==op1) {      /* special case, perform operations on result */
                uint res_len = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);

-               if (Z_STRLEN_P(result) < 0) {
+               if (Z_STRLEN_P(result) < 0 || (int) (Z_STRLEN_P(op1) + 
Z_STRLEN_P(op2)) < 0) {
                        efree(Z_STRVAL_P(result));
                        ZVAL_EMPTY_STRING(result);
                        zend_error(E_ERROR, "String size overflow");

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to