Commit:    f195339006afa08889a0eab4c5b263c8cd8a054a
Author:    Anatol Belski <a...@php.net>         Tue, 10 Dec 2013 09:34:45 +0100
Parents:   f7f8c590a5e67e79d4b0ad8e687353a32054afaf
Branches:  str_size_and_int64

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=f195339006afa08889a0eab4c5b263c8cd8a054a

Log:
revamp range checks in ext/xml

Changed paths:
  M  ext/xml/xml.c


Diff:
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index f3571a9..24d5dcb 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -391,7 +391,7 @@ static zval *_xml_resource_zval(php_int_t value)
 static zval *_xml_string_zval(const char *str)
 {
        zval *ret;
-       int len = strlen(str);
+       size_t len = strlen(str);
        MAKE_STD_ZVAL(ret);
 
        Z_TYPE_P(ret) = IS_STRING;
@@ -973,7 +973,7 @@ void _xml_characterDataHandler(void *userData, const 
XML_Char *s, int len)
                                                if 
(zend_hash_find(Z_ARRVAL_PP(curtag),"type",sizeof("type"),(void **) &mytype) == 
SUCCESS) {
                                                        if 
(!strcmp(Z_STRVAL_PP(mytype), "cdata")) {
                                                                if 
(zend_hash_find(Z_ARRVAL_PP(curtag),"value",sizeof("value"),(void **) &myval) 
== SUCCESS) {
-                                                                       int 
newlen = Z_STRSIZE_PP(myval) + decoded_len;
+                                                                       
zend_str_size_int newlen = Z_STRSIZE_PP(myval) + decoded_len;
                                                                        
Z_STRVAL_PP(myval) = erealloc(Z_STRVAL_PP(myval),newlen+1);
                                                                        
strncpy(Z_STRVAL_PP(myval) + Z_STRSIZE_PP(myval), decoded_value, decoded_len + 
1);
                                                                        
Z_STRSIZE_PP(myval) += decoded_len;
@@ -1115,7 +1115,7 @@ int _xml_externalEntityRefHandler(XML_Parser parserPtr,
                args[4] = _xml_xmlchar_zval(publicId, 0, 
parser->target_encoding);
                if ((retval = xml_call_handler(parser, 
parser->externalEntityRefHandler, parser->externalEntityRefPtr, 5, args))) {
                        convert_to_long(retval);
-                       ret = Z_LVAL_P(retval);
+                       ret = (0 == Z_LVAL_P(retval) ? 0 : 1) ;
                        efree(retval);
                } else {
                        ret = 0;
@@ -1449,6 +1449,12 @@ PHP_FUNCTION(xml_parse)
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rS|i", &pind, 
&data, &data_len, &isFinal) == FAILURE) {
                return;
        }
+
+       if (data_len > INT_MAX) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input data is too 
long.");
+               RETURN_LONG(0);
+       }
+
        ZEND_FETCH_RESOURCE(parser,xml_parser *, &pind, -1, "XML Parser", 
le_xml_parser);
 
        parser->isparsing = 1;
@@ -1474,6 +1480,11 @@ PHP_FUNCTION(xml_parse_into_struct)
                return;
        }
        
+       if (data_len > INT_MAX) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input data is too 
long.");
+               RETURN_LONG(0);
+       }
+
        if (info) {     
                zval_dtor(*info);
                array_init(*info);
@@ -1629,15 +1640,19 @@ PHP_FUNCTION(xml_parser_set_option)
        switch (opt) {
                case PHP_XML_OPTION_CASE_FOLDING:
                        convert_to_long_ex(val);
-                       parser->case_folding = Z_LVAL_PP(val);
+                       parser->case_folding = (0 == Z_LVAL_PP(val) ? 0 : 1);
                        break;
                case PHP_XML_OPTION_SKIP_TAGSTART:
                        convert_to_long_ex(val);
+                       if (Z_LVAL_PP(val) > INT_MAX) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Character count is too big");
+                               RETURN_FALSE;
+                       }
                        parser->toffset = Z_LVAL_PP(val);
                        break;
                case PHP_XML_OPTION_SKIP_WHITE:
                        convert_to_long_ex(val);
-                       parser->skipwhite = Z_LVAL_PP(val);
+                       parser->skipwhite = (0 == Z_LVAL_PP(val) ? 0 : 1);
                        break;
                case PHP_XML_OPTION_TARGET_ENCODING: {
                        xml_encoding *enc;


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to