Commit: b383ddf1e5175abf1d000e887961fdcebae646a0 Author: Anatoliy Belsky <[email protected]> Wed, 11 Jul 2012 22:25:31 +0200 Parents: bcf5853eaa8b8be793d4a1bd325eaea68cfe57bb Branches: PHP-5.3 PHP-5.4 master
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=b383ddf1e5175abf1d000e887961fdcebae646a0 Log: Fixed bug #62477 LimitIterator int overflow Bugs: https://bugs.php.net/62477 Changed paths: M ext/spl/spl_iterators.c M ext/spl/spl_iterators.h A ext/spl/tests/bug62477_1.phpt A ext/spl/tests/bug62477_2.phpt Diff: diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c index eecd483..1cbb2e4 100755 --- a/ext/spl/spl_iterators.c +++ b/ext/spl/spl_iterators.c @@ -1380,12 +1380,31 @@ static spl_dual_it_object* spl_dual_it_construct(INTERNAL_FUNCTION_PARAMETERS, z intern->dit_type = dit_type; switch (dit_type) { case DIT_LimitIterator: { + zval *tmp_offset, *tmp_count; intern->u.limit.offset = 0; /* start at beginning */ intern->u.limit.count = -1; /* get all */ - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "O|ll", &zobject, ce_inner, &intern->u.limit.offset, &intern->u.limit.count) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "O|zz", &zobject, ce_inner, &tmp_offset, &tmp_count) == FAILURE) { zend_restore_error_handling(&error_handling TSRMLS_CC); return NULL; } + if (tmp_offset && Z_TYPE_P(tmp_offset) != IS_NULL) { + if (Z_TYPE_P(tmp_offset) != IS_LONG) { + zend_throw_exception(spl_ce_OutOfRangeException, "offset param must be of type int", 0 TSRMLS_CC); + zend_restore_error_handling(&error_handling TSRMLS_CC); + return NULL; + } else { + intern->u.limit.offset = Z_LVAL_P(tmp_offset); + } + } + if (tmp_count && Z_TYPE_P(tmp_count) != IS_NULL) { + if (Z_TYPE_P(tmp_count) != IS_LONG) { + zend_throw_exception(spl_ce_OutOfRangeException, "count param must be of type int", 0 TSRMLS_CC); + zend_restore_error_handling(&error_handling TSRMLS_CC); + return NULL; + } else { + intern->u.limit.count = Z_LVAL_P(tmp_count); + } + } if (intern->u.limit.offset < 0) { zend_throw_exception(spl_ce_OutOfRangeException, "Parameter offset must be >= 0", 0 TSRMLS_CC); zend_restore_error_handling(&error_handling TSRMLS_CC); diff --git a/ext/spl/spl_iterators.h b/ext/spl/spl_iterators.h index 525a25c..9494b26 100755 --- a/ext/spl/spl_iterators.h +++ b/ext/spl/spl_iterators.h @@ -128,7 +128,7 @@ typedef struct _spl_dual_it_object { uint str_key_len; ulong int_key; int key_type; /* HASH_KEY_IS_STRING or HASH_KEY_IS_LONG */ - int pos; + long pos; } current; dual_it_type dit_type; union { diff --git a/ext/spl/tests/bug62477_1.phpt b/ext/spl/tests/bug62477_1.phpt new file mode 100644 index 0000000..1b768a7 --- /dev/null +++ b/ext/spl/tests/bug62477_1.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #62477 LimitIterator int overflow when float is passed (1) +--FILE-- +<?php + +$it = new LimitIterator(new ArrayIterator(array(42)), 10000000000000000000); +--EXPECTF-- +Fatal error: Uncaught exception 'OutOfRangeException' with message 'offset param must be of type int' in %sbug62477_1.php:%d +Stack trace: +#0 %sbug62477_1.php(%d): LimitIterator->__construct(Object(ArrayIterator), %f) +#1 {main} + thrown in %sbug62477_1.php on line %d diff --git a/ext/spl/tests/bug62477_2.phpt b/ext/spl/tests/bug62477_2.phpt new file mode 100644 index 0000000..aa3468a --- /dev/null +++ b/ext/spl/tests/bug62477_2.phpt @@ -0,0 +1,12 @@ +--TEST-- +Bug #62477 LimitIterator int overflow when float is passed (2) +--FILE-- +<?php + +$it = new LimitIterator(new ArrayIterator(array(42)), 0, 10000000000000000000); +--EXPECTF-- +Fatal error: Uncaught exception 'OutOfRangeException' with message 'count param must be of type int' in %sbug62477_2.php:%d +Stack trace: +#0 %sbug62477_2.php(%d): LimitIterator->__construct(Object(ArrayIterator), 0, %f) +#1 {main} + thrown in %sbug62477_2.php on line %d -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
