[PHP-CVS] cvs: php-src(PHP_4_4) / NEWS /ext/standard string.c /ext/standard/tests/strings chunk_split.phpt

Tue, 29 May 2007 17:35:56 -0700 

iliaa           Wed May 30 00:35:41 2007 UTC

  Modified files:              (Branch: PHP_4_4)
    /php-src    NEWS 
    /php-src/ext/standard/tests/strings chunk_split.phpt 
    /php-src/ext/standard       string.c 
  Log:
  
  MFH: Fixed an interger overflow inside chunk_split(), identified by Gerhard
  Wagner
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.230&r2=1.1247.2.920.2.231&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.230 php-src/NEWS:1.1247.2.920.2.231
--- php-src/NEWS:1.1247.2.920.2.230     Sun May 27 14:53:37 2007
+++ php-src/NEWS        Wed May 30 00:35:41 2007
@@ -1,6 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2007, Version 4.4.8
+- Fixed an interger overflow inside chunk_split(), identified by Gerhard
+  Wagner (Ilia)
 - Addded "max_input_nesting_level" php.ini option to limit nesting level of 
   input variables. Fix for MOPB-03-2007. (Stas)
 - Fixed bug #38798 (OpenSSL init corrected in php5 but not in php4). (Tony)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/chunk_split.phpt?r1=1.1.2.1&r2=1.1.2.1.2.1&diff_format=u
Index: php-src/ext/standard/tests/strings/chunk_split.phpt
diff -u php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1 
php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1.2.1
--- php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1 Sun Apr  3 
18:09:55 2005
+++ php-src/ext/standard/tests/strings/chunk_split.phpt Wed May 30 00:35:41 2007
@@ -8,6 +8,12 @@
 echo chunk_split('foooooooooooooooo', 5)."\n";
 echo chunk_split(str_repeat('X', 2*76))."\n";
 echo chunk_split("test", 10, "|end") . "\n";
+
+$a=str_repeat("B", 65535);
+$b=1;
+$c=str_repeat("B", 65535);
+var_dump(chunk_split($a,$b,$c));
+
 ?>
 --EXPECT--
 a-b-c-
@@ -20,3 +26,4 @@
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
 test|end
+bool(false)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.333.2.52.2.13&r2=1.333.2.52.2.14&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.333.2.52.2.13 
php-src/ext/standard/string.c:1.333.2.52.2.14
--- php-src/ext/standard/string.c:1.333.2.52.2.13       Thu May 24 21:31:05 2007
+++ php-src/ext/standard/string.c       Wed May 30 00:35:41 2007
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.333.2.52.2.13 2007/05/24 21:31:05 rasmus Exp $ */
+/* $Id: string.c,v 1.333.2.52.2.14 2007/05/30 00:35:41 iliaa Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -1511,11 +1511,18 @@
        char *p, *q;
        int chunks; /* complete chunks! */
        int restlen;
+       int out_len;
 
        chunks = srclen / chunklen;
        restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
-       dest = safe_emalloc(sizeof(char), (srclen + (chunks + 1) * endlen + 1), 
0);
+       out_len = (srclen + (chunks + 1) * endlen + 1);
+
+       if (out_len > INT_MAX || out_len <= 0) {
+               return NULL;
+       }
+
+       dest = safe_emalloc(out_len, sizeof(char), 0);
 
        for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
                memcpy(q, p, chunklen);

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to