diff options
author | Stanislav Malyshev <stas@php.net> | 2014-05-11 18:15:29 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-05-11 18:16:19 -0700 |
commit | af5cc61cf374f3700872c989cfdf8e197248c57c (patch) | |
tree | b999bcdc3e341696f70806098fe42fd28b84acf2 | |
parent | 291b45afb5d5716ff0d340bd2bcb34731b806eed (diff) | |
parent | 2b475eebbea85779989e98e87753d6b023a1d131 (diff) | |
download | php-git-af5cc61cf374f3700872c989cfdf8e197248c57c.tar.gz |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
Fix bug #67247 spl_fixedarray_resize integer overflow
fix news
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/spl/spl_fixedarray.c | 2 | ||||
-rw-r--r-- | ext/spl/tests/bug67247.phpt | 13 |
3 files changed, 16 insertions, 3 deletions
@@ -13,8 +13,8 @@ PHP NEWS by tempnam()). (Boro Sitnikovski) . Fixed bug #67072 (Echoing unserialized "SplFileObject" crash). (Anatol) . Fixed bug #67245 (usage of memcpy() with overlapping src and dst in - zend_exceptions.c) (backported fix from PHP 5.6; initially committed - to wrong branch). (Bob) + zend_exceptions.c). (Bob) + . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas) - Curl: . Fixed bug #64247 (CURLOPT_INFILE doesn't allow reset). (Mike) diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c index ca61b3bd97..98a5117eff 100644 --- a/ext/spl/spl_fixedarray.c +++ b/ext/spl/spl_fixedarray.c @@ -116,7 +116,7 @@ static void spl_fixedarray_resize(spl_fixedarray *array, long size TSRMLS_DC) /* array->elements = NULL; } } else if (size > array->size) { - array->elements = erealloc(array->elements, sizeof(zval *) * size); + array->elements = safe_erealloc(array->elements, size, sizeof(zval *), 0); memset(array->elements + array->size, '\0', sizeof(zval *) * (size - array->size)); } else { /* size < array->size */ long i; diff --git a/ext/spl/tests/bug67247.phpt b/ext/spl/tests/bug67247.phpt new file mode 100644 index 0000000000..cb71445d7b --- /dev/null +++ b/ext/spl/tests/bug67247.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #67247 (spl_fixedarray_resize integer overflow) +--FILE-- +<?php +$ar = new SplFixedArray(1); +echo "size: ".$ar->getSize()."\n"; +$ar->setSize((PHP_INT_SIZE==8)?0x2000000000000001:0x40000001); +echo "size: ".$ar->getSize()."\n"; +?> +--EXPECTF-- +size: 1 + +Fatal error: Possible integer overflow in memory allocation (%d * %d + 0) in %s on line %d |