Commit:    157ddd95773114c1148536b4b32fcbedf0c79b20
Author:    Nikita Popov <ni...@php.net>         Thu, 5 Jul 2012 20:31:58 +0200
Parents:   88f46b162b3bf9bc9a7a1d3d7280f702f5b9f501
Branches:  PHP-5.3 PHP-5.4 master

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=157ddd95773114c1148536b4b32fcbedf0c79b20

Log:
Fix potential integer overflow in nl2br

The buffer size was calculated manually, thus creating integer overflows
for very large inputs, e.g. nl2br(str_repeat("\n", 613566757)).

The code now uses safe_emalloc, thus making the code throw an error
instead of crashing.

Changed paths:
  M  ext/standard/string.c


Diff:
diff --git a/ext/standard/string.c b/ext/standard/string.c
index a521d78..1a7bd1e 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4001,13 +4001,12 @@ PHP_FUNCTION(nl2br)
                RETURN_STRINGL(str, str_len, 1);
        }
 
-       if (is_xhtml) {
-               new_length = str_len + repl_cnt * (sizeof("<br />") - 1);
-       } else {
-               new_length = str_len + repl_cnt * (sizeof("<br>") - 1);
-       }
+       {
+               size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : 
(sizeof("<br>") - 1);
 
-       tmp = target = emalloc(new_length + 1);
+               new_length = str_len + repl_cnt * repl_len;
+               tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1);
+       }
 
        while (str < end) {
                switch (*str) {


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to