diff options
| author | Michael Wallner <mike@php.net> | 2014-07-02 09:55:15 +0200 |
|---|---|---|
| committer | Michael Wallner <mike@php.net> | 2014-07-02 09:55:15 +0200 |
| commit | 1e06c73192c64ecc601ad265ed5666e90048c4b4 (patch) | |
| tree | 51586a60e3acef4959fb8825ca1dc1db23077a2b | |
| parent | 2e02f18b154bb00279e5d121cc36beea7b9b8f37 (diff) | |
| parent | 34e686c5562bfd289d330f5dae2dafec4e58a20c (diff) | |
| download | php-git-1e06c73192c64ecc601ad265ed5666e90048c4b4.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
fix integer overflow in {stream,file}_{get,put}_contents()
| -rw-r--r-- | ext/standard/file.c | 16 | ||||
| -rw-r--r-- | ext/standard/streamsfuncs.c | 6 |
2 files changed, 17 insertions, 5 deletions
diff --git a/ext/standard/file.c b/ext/standard/file.c index 9c3c790fb4..b636b99a5a 100644 --- a/ext/standard/file.c +++ b/ext/standard/file.c @@ -519,7 +519,7 @@ PHP_FUNCTION(file_get_contents) char *contents; zend_bool use_include_path = 0; php_stream *stream; - int len; + long len; long offset = -1; long maxlen = PHP_STREAM_COPY_ALL; zval *zcontext = NULL; @@ -551,6 +551,10 @@ PHP_FUNCTION(file_get_contents) } if ((len = php_stream_copy_to_mem(stream, &contents, maxlen, 0)) > 0) { + if (len > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX); + len = INT_MAX; + } RETVAL_STRINGL(contents, len, 0); } else if (len == 0) { RETVAL_EMPTY_STRING(); @@ -570,7 +574,7 @@ PHP_FUNCTION(file_put_contents) char *filename; int filename_len; zval *data; - int numbytes = 0; + long numbytes = 0; long flags = 0; zval *zcontext = NULL; php_stream_context *context = NULL; @@ -622,6 +626,10 @@ PHP_FUNCTION(file_put_contents) if (php_stream_copy_to_stream_ex(srcstream, stream, PHP_STREAM_COPY_ALL, &len) != SUCCESS) { numbytes = -1; } else { + if (len > LONG_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %lu to %ld bytes", (unsigned long) len, LONG_MAX); + len = LONG_MAX; + } numbytes = len; } break; @@ -637,7 +645,7 @@ PHP_FUNCTION(file_put_contents) if (Z_STRLEN_P(data)) { numbytes = php_stream_write(stream, Z_STRVAL_P(data), Z_STRLEN_P(data)); if (numbytes != Z_STRLEN_P(data)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data)); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data)); numbytes = -1; } } @@ -680,7 +688,7 @@ PHP_FUNCTION(file_put_contents) if (zend_std_cast_object_tostring(data, &out, IS_STRING TSRMLS_CC) == SUCCESS) { numbytes = php_stream_write(stream, Z_STRVAL(out), Z_STRLEN(out)); if (numbytes != Z_STRLEN(out)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out)); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out)); numbytes = -1; } zval_dtor(&out); diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c index b623447651..6876792d63 100644 --- a/ext/standard/streamsfuncs.c +++ b/ext/standard/streamsfuncs.c @@ -407,7 +407,7 @@ PHP_FUNCTION(stream_get_contents) zval *zsrc; long maxlen = PHP_STREAM_COPY_ALL, desiredpos = -1L; - int len; + long len; char *contents = NULL; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ll", &zsrc, &maxlen, &desiredpos) == FAILURE) { @@ -439,6 +439,10 @@ PHP_FUNCTION(stream_get_contents) len = php_stream_copy_to_mem(stream, &contents, maxlen, 0); if (contents) { + if (len > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX); + len = INT_MAX; + } RETVAL_STRINGL(contents, len, 0); } else { RETVAL_EMPTY_STRING(); |