Commit: 157ddd95773114c1148536b4b32fcbedf0c79b20 Author: Nikita Popov <[email protected]> Thu, 5 Jul 2012 20:31:58 +0200 Parents: 88f46b162b3bf9bc9a7a1d3d7280f702f5b9f501 Branches: PHP-5.3 PHP-5.4 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=157ddd95773114c1148536b4b32fcbedf0c79b20 Log: Fix potential integer overflow in nl2br The buffer size was calculated manually, thus creating integer overflows for very large inputs, e.g. nl2br(str_repeat("\n", 613566757)). The code now uses safe_emalloc, thus making the code throw an error instead of crashing. Changed paths: M ext/standard/string.c Diff: diff --git a/ext/standard/string.c b/ext/standard/string.c index a521d78..1a7bd1e 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4001,13 +4001,12 @@ PHP_FUNCTION(nl2br) RETURN_STRINGL(str, str_len, 1); } - if (is_xhtml) { - new_length = str_len + repl_cnt * (sizeof("<br />") - 1); - } else { - new_length = str_len + repl_cnt * (sizeof("<br>") - 1); - } + { + size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1); - tmp = target = emalloc(new_length + 1); + new_length = str_len + repl_cnt * repl_len; + tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1); + } while (str < end) { switch (*str) { -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
