iliaa Wed May 30 00:35:41 2007 UTC Modified files: (Branch: PHP_4_4) /php-src NEWS /php-src/ext/standard/tests/strings chunk_split.phpt /php-src/ext/standard string.c Log: MFH: Fixed an interger overflow inside chunk_split(), identified by Gerhard Wagner http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.230&r2=1.1247.2.920.2.231&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.1247.2.920.2.230 php-src/NEWS:1.1247.2.920.2.231 --- php-src/NEWS:1.1247.2.920.2.230 Sun May 27 14:53:37 2007 +++ php-src/NEWS Wed May 30 00:35:41 2007 @@ -1,6 +1,8 @@ PHP 4 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2007, Version 4.4.8 +- Fixed an interger overflow inside chunk_split(), identified by Gerhard + Wagner (Ilia) - Addded "max_input_nesting_level" php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007. (Stas) - Fixed bug #38798 (OpenSSL init corrected in php5 but not in php4). (Tony) http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/chunk_split.phpt?r1=1.1.2.1&r2=1.1.2.1.2.1&diff_format=u Index: php-src/ext/standard/tests/strings/chunk_split.phpt diff -u php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1 php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1.2.1 --- php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1 Sun Apr 3 18:09:55 2005 +++ php-src/ext/standard/tests/strings/chunk_split.phpt Wed May 30 00:35:41 2007 @@ -8,6 +8,12 @@ echo chunk_split('foooooooooooooooo', 5)."\n"; echo chunk_split(str_repeat('X', 2*76))."\n"; echo chunk_split("test", 10, "|end") . "\n"; + +$a=str_repeat("B", 65535); +$b=1; +$c=str_repeat("B", 65535); +var_dump(chunk_split($a,$b,$c)); + ?> --EXPECT-- a-b-c- @@ -20,3 +26,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX test|end +bool(false) http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.333.2.52.2.13&r2=1.333.2.52.2.14&diff_format=u Index: php-src/ext/standard/string.c diff -u php-src/ext/standard/string.c:1.333.2.52.2.13 php-src/ext/standard/string.c:1.333.2.52.2.14 --- php-src/ext/standard/string.c:1.333.2.52.2.13 Thu May 24 21:31:05 2007 +++ php-src/ext/standard/string.c Wed May 30 00:35:41 2007 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: string.c,v 1.333.2.52.2.13 2007/05/24 21:31:05 rasmus Exp $ */ +/* $Id: string.c,v 1.333.2.52.2.14 2007/05/30 00:35:41 iliaa Exp $ */ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ @@ -1511,11 +1511,18 @@ char *p, *q; int chunks; /* complete chunks! */ int restlen; + int out_len; chunks = srclen / chunklen; restlen = srclen - chunks * chunklen; /* srclen % chunklen */ - dest = safe_emalloc(sizeof(char), (srclen + (chunks + 1) * endlen + 1), 0); + out_len = (srclen + (chunks + 1) * endlen + 1); + + if (out_len > INT_MAX || out_len <= 0) { + return NULL; + } + + dest = safe_emalloc(out_len, sizeof(char), 0); for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) { memcpy(q, p, chunklen);
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php