Fix bug #72541 - size_t overflow lead to heap corruption

(cherry picked from commit 2ca8d85dd4ac6d5f8c046f339f9636e3099b0f08)
author: Stanislav Malyshev <stas@php.net> 2016-07-12 22:59:19 -0700
committer: Anatol Belski <ab@php.net> 2016-07-19 15:51:04 +0200
commit: 159403f7952a8616bfc6858c60f5314599a36652 (patch)
tree: 34a03db0edb5d36cc97f95076a5d58bccc70bad9
parent: 55f7df261743c0fddc1ee6d4ace0848f946d36af (diff)
download: php-git-159403f7952a8616bfc6858c60f5314599a36652.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 6a616411ef..7d085de73c 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -3595,6 +3595,10 @@ PHP_FUNCTION(curl_unescape)
 		RETURN_FALSE;
 	}
 
+	if (str_len > INT_MAX) {
+		RETURN_FALSE;
+	}
+
 	if ((out = curl_easy_unescape(ch->cp, str, str_len, &out_len))) {
 		RETVAL_STRINGL(out, out_len);
 		curl_free(out);
author	Stanislav Malyshev <stas@php.net>	2016-07-12 22:59:19 -0700
committer	Anatol Belski <ab@php.net>	2016-07-19 15:51:04 +0200
commit	159403f7952a8616bfc6858c60f5314599a36652 (patch)
tree	34a03db0edb5d36cc97f95076a5d58bccc70bad9
parent	55f7df261743c0fddc1ee6d4ace0848f946d36af (diff)
download	php-git-159403f7952a8616bfc6858c60f5314599a36652.tar.gz