iliaa Mon, 23 Nov 2009 04:12:36 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=291172
Log:
Extend the previously added large string concatenation validation
Changed paths:
U php/php-src/branches/PHP_5_2/Zend/zend_operators.c
U php/php-src/branches/PHP_5_3/Zend/zend_operators.c
Modified: php/php-src/branches/PHP_5_2/Zend/zend_operators.c
===================================================================
--- php/php-src/branches/PHP_5_2/Zend/zend_operators.c 2009-11-23 04:11:01 UTC
(rev 291171)
+++ php/php-src/branches/PHP_5_2/Zend/zend_operators.c 2009-11-23 04:12:36 UTC
(rev 291172)
@@ -1203,7 +1203,7 @@
if (result==op1) { /* special case, perform operations on result */
uint res_len = op1->value.str.len + op2->value.str.len;
- if (Z_STRLEN_P(result) < 0) {
+ if (Z_STRLEN_P(result) < 0 || (int) (Z_STRLEN_P(op1) +
Z_STRLEN_P(op2)) < 0) {
efree(Z_STRVAL_P(result));
ZVAL_EMPTY_STRING(result);
zend_error(E_ERROR, "String size overflow");
Modified: php/php-src/branches/PHP_5_3/Zend/zend_operators.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_operators.c 2009-11-23 04:11:01 UTC
(rev 291171)
+++ php/php-src/branches/PHP_5_3/Zend/zend_operators.c 2009-11-23 04:12:36 UTC
(rev 291172)
@@ -1227,7 +1227,7 @@
if (result==op1) { /* special case, perform operations on result */
uint res_len = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
- if (Z_STRLEN_P(result) < 0) {
+ if (Z_STRLEN_P(result) < 0 || (int) (Z_STRLEN_P(op1) +
Z_STRLEN_P(op2)) < 0) {
efree(Z_STRVAL_P(result));
ZVAL_EMPTY_STRING(result);
zend_error(E_ERROR, "String size overflow");
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
