diff options
author | Stanislav Malyshev <stas@php.net> | 2016-07-12 22:59:19 -0700 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-07-19 15:51:04 +0200 |
commit | 159403f7952a8616bfc6858c60f5314599a36652 (patch) | |
tree | 34a03db0edb5d36cc97f95076a5d58bccc70bad9 | |
parent | 55f7df261743c0fddc1ee6d4ace0848f946d36af (diff) | |
download | php-git-159403f7952a8616bfc6858c60f5314599a36652.tar.gz |
Fix bug #72541 - size_t overflow lead to heap corruption
(cherry picked from commit 2ca8d85dd4ac6d5f8c046f339f9636e3099b0f08)
-rw-r--r-- | ext/curl/interface.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 6a616411ef..7d085de73c 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -3595,6 +3595,10 @@ PHP_FUNCTION(curl_unescape) RETURN_FALSE; } + if (str_len > INT_MAX) { + RETURN_FALSE; + } + if ((out = curl_easy_unescape(ch->cp, str, str_len, &out_len))) { RETVAL_STRINGL(out, out_len); curl_free(out); |