[PHP-CVS] [git] commit php-src.git: ext/standard/html.c

Mon, 19 Mar 2012 10:50:51 -0700 

Commit: cfdd6c5788afc6fb907f6f518dceab4fd82c922e
Author: Gustavo André dos Santos Lopes(cataphr...@php.net)         Sun, 5 Feb 
2012 14:57:57 +0000
Committer: Gustavo André dos Santos Lopes(cataphr...@php.net)      Mon, 19 Mar 
2012 16:36:21 +0000
Parents: 9a460497da3cc2b755f4628350756427fc0a1051

Link: 
http://git.php.net/?p=php-src.git;a=commitdiff;h=cfdd6c5788afc6fb907f6f518dceab4fd82c922e

Log:
MFH: 7dcada1 for 5.4

- Fixed possible unsigned int wrap around in html.c. Note that 5.3 has the same
  (potential) problem; even though the code is substantially different, the
  variable name and the fashion it was incremented was kept.

Changed paths:
  M  ext/standard/html.c


Diff:
cfdd6c5788afc6fb907f6f518dceab4fd82c922e
diff --git a/ext/standard/html.c b/ext/standard/html.c
index 5b47a83..65e63f4 100644
--- a/ext/standard/html.c
+++ b/ext/standard/html.c
@@ -1258,9 +1258,13 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char 
*old, size_t oldlen, size
                maxlen = 128;   
        } else {
                maxlen = 2 * oldlen;
+               if (maxlen < oldlen) {
+                       zend_error_noreturn(E_ERROR, "Input string is too 
long");
+                       return NULL;
+               }
        }
 
-       replaced = emalloc(maxlen + 1);
+       replaced = emalloc(maxlen + 1); /* adding 1 is safe: maxlen is even */
        len = 0;
        cursor = 0;
        while (cursor < oldlen) {
@@ -1272,8 +1276,9 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char 
*old, size_t oldlen, size
 
                /* guarantee we have at least 40 bytes to write.
                 * In HTML5, entities may take up to 33 bytes */
-               if (len + 40 > maxlen) {
-                       replaced = erealloc(replaced, (maxlen += 128) + 1);
+               if (len > maxlen - 40) { /* maxlen can never be smaller than 
128 */
+                       replaced = safe_erealloc(replaced, maxlen , 1, 128 + 1);
+                       maxlen += 128;
                }
 
                if (status == FAILURE) {
@@ -1402,8 +1407,11 @@ encode_amp:
                                }
                                /* checks passed; copy entity to result */
                                /* entity size is unbounded, we may need more 
memory */
-                               if (maxlen < len + ent_len + 2 /* & and ; */) {
-                                       replaced = erealloc(replaced, (maxlen 
+= ent_len + 128) + 1);
+                               /* at this point maxlen - len >= 40 */
+                               if (maxlen - len < ent_len + 2 /* & and ; */) {
+                                       /* ent_len < oldlen, which is certainly 
<= SIZE_MAX/2 */
+                                       replaced = safe_erealloc(replaced, 
maxlen, 1, ent_len + 128 + 1);
+                                       maxlen += ent_len + 128;
                                }
                                replaced[len++] = '&';
                                memcpy(&replaced[len], &old[cursor], ent_len);


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to