sesser Sun Nov 28 07:44:42 2004 EDT Modified files: (Branch: PHP_5_0) /php-src/ext/standard pack.c /php-src/main php.h Log: MFH http://cvs.php.net/diff.php/php-src/ext/standard/pack.c?r1=1.52&r2=1.52.2.1&ty=u Index: php-src/ext/standard/pack.c diff -u php-src/ext/standard/pack.c:1.52 php-src/ext/standard/pack.c:1.52.2.1 --- php-src/ext/standard/pack.c:1.52 Tue Feb 24 16:49:28 2004 +++ php-src/ext/standard/pack.c Sun Nov 28 07:44:42 2004 @@ -15,7 +15,7 @@ | Author: Chris Schneider <[EMAIL PROTECTED]> | +----------------------------------------------------------------------+ */ -/* $Id: pack.c,v 1.52 2004/02/24 21:49:28 gschlossnagle Exp $ */ +/* $Id: pack.c,v 1.52.2.1 2004/11/28 12:44:42 sesser Exp $ */ #include "php.h" @@ -61,6 +61,13 @@ #include <netinet/in.h> #endif +#define INC_OUTPUTPOS(a,b) \ + if ((a) < 0 || ((INT_MAX - outputpos)/(b)) < (a)) { \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow in format string", code); \ + RETURN_FALSE; \ + } \ + outputpos += (a)*(b); + /* Whether machine is little endian */ char machine_little_endian; @@ -244,7 +251,7 @@ switch ((int) code) { case 'h': case 'H': - outputpos += (arg + 1) / 2; /* 4 bit per arg */ + INC_OUTPUTPOS((arg + 1) / 2,1) /* 4 bit per arg */ break; case 'a': @@ -252,34 +259,34 @@ case 'c': case 'C': case 'x': - outputpos += arg; /* 8 bit per arg */ + INC_OUTPUTPOS(arg,1) /* 8 bit per arg */ break; case 's': case 'S': case 'n': case 'v': - outputpos += arg * 2; /* 16 bit per arg */ + INC_OUTPUTPOS(arg,2) /* 16 bit per arg */ break; case 'i': case 'I': - outputpos += arg * sizeof(int); + INC_OUTPUTPOS(arg,sizeof(int)) break; case 'l': case 'L': case 'N': case 'V': - outputpos += arg * 4; /* 32 bit per arg */ + INC_OUTPUTPOS(arg,4) /* 32 bit per arg */ break; case 'f': - outputpos += arg * sizeof(float); + INC_OUTPUTPOS(arg,sizeof(float)) break; case 'd': - outputpos += arg * sizeof(double); + INC_OUTPUTPOS(arg,sizeof(double)) break; case 'X': @@ -648,6 +655,11 @@ sprintf(n, "%.*s", namelen, name); } + if (size != 0 && size != -1 && INT_MAX - size + 1 < inputpos) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type); + inputpos = 0; + } + if ((inputpos + size) <= inputlen) { switch ((int) type) { case 'a': @@ -818,6 +830,10 @@ } inputpos += size; + if (inputpos < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type); + inputpos = 0; + } } else if (arg < 0) { /* Reached end of input for '*' repeater */ break; http://cvs.php.net/diff.php/php-src/main/php.h?r1=1.203.2.3&r2=1.203.2.4&ty=u Index: php-src/main/php.h diff -u php-src/main/php.h:1.203.2.3 php-src/main/php.h:1.203.2.4 --- php-src/main/php.h:1.203.2.3 Mon Nov 15 18:14:39 2004 +++ php-src/main/php.h Sun Nov 28 07:44:42 2004 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: php.h,v 1.203.2.3 2004/11/15 23:14:39 fmk Exp $ */ +/* $Id: php.h,v 1.203.2.4 2004/11/28 12:44:42 sesser Exp $ */ #ifndef PHP_H #define PHP_H @@ -230,6 +230,14 @@ #define LONG_MIN (- LONG_MAX - 1) #endif +#ifndef INT_MAX +#define INT_MAX 2147483647 +#endif + +#ifndef INT_MIN +#define INT_MIN (- INT_MAX - 1) +#endif + #define PHP_GCC_VERSION ZEND_GCC_VERSION #define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC #define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php