Add test for bug #69522

author: Stanislav Malyshev <stas@php.net> 2015-05-11 01:10:35 -0700
committer: Stanislav Malyshev <stas@php.net> 2015-05-11 01:10:35 -0700
commit: 9c0813fd48023634f6ce97e66de0fb9b7c196cda (patch)
tree: 65c81182fa9a07fe0bf5f42a59c35848a9c98ebe
parent: 634aa0a2dbf8ec5e6fabb4ee01c6d1355ba7ee67 (diff)
download: php-git-9c0813fd48023634f6ce97e66de0fb9b7c196cda.tar.gz
2 files changed, 17 insertions, 0 deletions
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index c1c2c7a02c..20c7bf0462 100644
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -642,6 +642,12 @@ PHP_FUNCTION(unpack)
 				break;
 		}
 
+		if (size != 0 && size != -1 && size < 0) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type);
+			zval_dtor(return_value);
+			RETURN_FALSE;
+		}
+
 		/* Do actual unpacking */
 		for (i = 0; i != arg; i++ ) {
 			/* Space for name + number, safe as namelen is ensured <= 200 */
diff --git a/ext/standard/tests/strings/bug69522.phpt b/ext/standard/tests/strings/bug69522.phpt
new file mode 100644
index 0000000000..fc86d409c6
--- /dev/null
+++ b/ext/standard/tests/strings/bug69522.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #69522 (heap buffer overflow in unpack())
+--FILE--
+<?php
+$a = pack("AAAAAAAAAAAA", 1,2,3,4,5,6,7,8,9,10,11,12);
+$b = unpack('h2147483648', $a);
+?>
+===DONE===
+--EXPECTF--
+Warning: unpack(): Type h: integer overflow in %s on line %d
+===DONE===
author	Stanislav Malyshev <stas@php.net>	2015-05-11 01:10:35 -0700
committer	Stanislav Malyshev <stas@php.net>	2015-05-11 01:10:35 -0700
commit	9c0813fd48023634f6ce97e66de0fb9b7c196cda (patch)
tree	65c81182fa9a07fe0bf5f42a59c35848a9c98ebe
parent	634aa0a2dbf8ec5e6fabb4ee01c6d1355ba7ee67 (diff)
download	php-git-9c0813fd48023634f6ce97e66de0fb9b7c196cda.tar.gz