diff options
author | Michael Wallner <mike@php.net> | 2014-07-02 09:53:03 +0200 |
---|---|---|
committer | Michael Wallner <mike@php.net> | 2014-07-02 09:53:03 +0200 |
commit | 34e686c5562bfd289d330f5dae2dafec4e58a20c (patch) | |
tree | 991f45e28650c31c2055e5ac0c801536f8accf0e | |
parent | 899fe3d8af42dc09c3f0ed2915e516c068166a43 (diff) | |
download | php-git-34e686c5562bfd289d330f5dae2dafec4e58a20c.tar.gz |
fix integer overflow in {stream,file}_{get,put}_contents()
-rw-r--r-- | ext/standard/file.c | 16 | ||||
-rw-r--r-- | ext/standard/streamsfuncs.c | 6 |
2 files changed, 17 insertions, 5 deletions
diff --git a/ext/standard/file.c b/ext/standard/file.c index 6bcaef78ca..708c3e29c5 100644 --- a/ext/standard/file.c +++ b/ext/standard/file.c @@ -518,7 +518,7 @@ PHP_FUNCTION(file_get_contents) char *contents; zend_bool use_include_path = 0; php_stream *stream; - int len; + long len; long offset = -1; long maxlen = PHP_STREAM_COPY_ALL; zval *zcontext = NULL; @@ -550,6 +550,10 @@ PHP_FUNCTION(file_get_contents) } if ((len = php_stream_copy_to_mem(stream, &contents, maxlen, 0)) > 0) { + if (len > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX); + len = INT_MAX; + } RETVAL_STRINGL(contents, len, 0); } else if (len == 0) { RETVAL_EMPTY_STRING(); @@ -569,7 +573,7 @@ PHP_FUNCTION(file_put_contents) char *filename; int filename_len; zval *data; - int numbytes = 0; + long numbytes = 0; long flags = 0; zval *zcontext = NULL; php_stream_context *context = NULL; @@ -621,6 +625,10 @@ PHP_FUNCTION(file_put_contents) if (php_stream_copy_to_stream_ex(srcstream, stream, PHP_STREAM_COPY_ALL, &len) != SUCCESS) { numbytes = -1; } else { + if (len > LONG_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %lu to %ld bytes", (unsigned long) len, LONG_MAX); + len = LONG_MAX; + } numbytes = len; } break; @@ -636,7 +644,7 @@ PHP_FUNCTION(file_put_contents) if (Z_STRLEN_P(data)) { numbytes = php_stream_write(stream, Z_STRVAL_P(data), Z_STRLEN_P(data)); if (numbytes != Z_STRLEN_P(data)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data)); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data)); numbytes = -1; } } @@ -679,7 +687,7 @@ PHP_FUNCTION(file_put_contents) if (zend_std_cast_object_tostring(data, &out, IS_STRING TSRMLS_CC) == SUCCESS) { numbytes = php_stream_write(stream, Z_STRVAL(out), Z_STRLEN(out)); if (numbytes != Z_STRLEN(out)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out)); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out)); numbytes = -1; } zval_dtor(&out); diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c index bdb05ec9b8..b1b318044e 100644 --- a/ext/standard/streamsfuncs.c +++ b/ext/standard/streamsfuncs.c @@ -407,7 +407,7 @@ PHP_FUNCTION(stream_get_contents) zval *zsrc; long maxlen = PHP_STREAM_COPY_ALL, desiredpos = -1L; - int len; + long len; char *contents = NULL; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ll", &zsrc, &maxlen, &desiredpos) == FAILURE) { @@ -439,6 +439,10 @@ PHP_FUNCTION(stream_get_contents) len = php_stream_copy_to_mem(stream, &contents, maxlen, 0); if (contents) { + if (len > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX); + len = INT_MAX; + } RETVAL_STRINGL(contents, len, 0); } else { RETVAL_EMPTY_STRING(); |