iliaa Fri, 06 Aug 2010 19:55:10 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=301938
Log: Fixed issues inside str_pad() identified by bug #52550 Bug: http://bugs.php.net/52550 (Analyzed) integer undefined behaviors executed during "make test" Changed paths: U php/php-src/branches/PHP_5_3/ext/standard/string.c U php/php-src/trunk/ext/standard/string.c Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-08-06 19:47:03 UTC (rev 301937) +++ php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-08-06 19:55:10 UTC (rev 301938) @@ -4861,7 +4861,7 @@ long pad_length; /* Length to pad to */ /* Helper variables */ - int num_pad_chars; /* Number of padding characters (total - input size) */ + size_t num_pad_chars; /* Number of padding characters (total - input size) */ char *result = NULL; /* Resulting string */ int result_len = 0; /* Length of the resulting string */ char *pad_str_val = " "; /* Pointer to padding string */ @@ -4874,11 +4874,9 @@ return; } - num_pad_chars = pad_length - input_len; - /* If resulting string turns out to be shorter than input string, we simply copy the input and return. */ - if (pad_length <= 0 || num_pad_chars <= 0) { + if (pad_length <= 0 || (pad_length - input_len) <= 0) { RETURN_STRINGL(input, input_len, 1); } @@ -4892,6 +4890,11 @@ return; } + num_pad_chars = pad_length - input_len; + if (num_pad_chars >= INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Padding length is too long"); + return; + } result = (char *)emalloc(input_len + num_pad_chars + 1); /* We need to figure out the left/right padding lengths. */ Modified: php/php-src/trunk/ext/standard/string.c =================================================================== --- php/php-src/trunk/ext/standard/string.c 2010-08-06 19:47:03 UTC (rev 301937) +++ php/php-src/trunk/ext/standard/string.c 2010-08-06 19:55:10 UTC (rev 301938) @@ -4870,7 +4870,7 @@ long pad_length; /* Length to pad to */ /* Helper variables */ - int num_pad_chars; /* Number of padding characters (total - input size) */ + size_t num_pad_chars; /* Number of padding characters (total - input size) */ char *result = NULL; /* Resulting string */ int result_len = 0; /* Length of the resulting string */ char *pad_str_val = " "; /* Pointer to padding string */ @@ -4883,11 +4883,9 @@ return; } - num_pad_chars = pad_length - input_len; - /* If resulting string turns out to be shorter than input string, we simply copy the input and return. */ - if (pad_length <= 0 || num_pad_chars <= 0) { + if (pad_length <= 0 || (pad_length - input_len) <= 0) { RETURN_STRINGL(input, input_len, 1); } @@ -4901,6 +4899,11 @@ return; } + num_pad_chars = pad_length - input_len; + if (num_pad_chars >= INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Padding length is too long"); + return; + } result = (char *)emalloc(input_len + num_pad_chars + 1); /* We need to figure out the left/right padding lengths. */
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
