diff options
author | Stanislav Malyshev <stas@php.net> | 2016-11-26 14:44:58 -0800 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-11-26 14:49:48 -0800 |
commit | bc85678df3488755fc54d8a222e366db0899d06c (patch) | |
tree | 867f6ae68c75775721167092bf45068817ad6103 | |
parent | 7f529e3dee032d5977166c3eb7b70f57edc8e562 (diff) | |
download | php-git-bc85678df3488755fc54d8a222e366db0899d06c.tar.gz |
Add more mbfl string size checks (bug #73505)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c | 30 | ||||
-rw-r--r-- | ext/standard/string.c | 2 |
3 files changed, 33 insertions, 3 deletions
@@ -4,6 +4,10 @@ PHP NEWS 08 Dec 2016, PHP 5.6.29 +- Mbstring: + . Fixed bug #73505 (string length overflow in mbfl_memory_device_output + function). (Stas) + - Mysqlnd: . Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*). (cmb) diff --git a/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c b/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c index 7509ef1a6a..c4d4e7fe37 100644 --- a/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c +++ b/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c @@ -5,7 +5,7 @@ * LICENSE NOTICES * * This file is part of "streamable kanji code filter and converter", - * which is distributed under the terms of GNU Lesser General Public + * which is distributed under the terms of GNU Lesser General Public * License (version 2) as published by the Free Software Foundation. * * This software is distributed in the hope that it will be useful, @@ -146,6 +146,10 @@ mbfl_memory_device_output(int c, void *data) unsigned char *tmp; newlen = device->length + device->allocsz; + if (newlen <= 0) { + /* overflow */ + return -1; + } tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char)); if (tmp == NULL) { return -1; @@ -169,6 +173,10 @@ mbfl_memory_device_output2(int c, void *data) unsigned char *tmp; newlen = device->length + device->allocsz; + if (newlen <= 0) { + /* overflow */ + return -1; + } tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char)); if (tmp == NULL) { return -1; @@ -194,6 +202,10 @@ mbfl_memory_device_output4(int c, void* data) unsigned char *tmp; newlen = device->length + device->allocsz; + if (newlen <= 0) { + /* overflow */ + return -1; + } tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char)); if (tmp == NULL) { return -1; @@ -227,6 +239,10 @@ mbfl_memory_device_strcat(mbfl_memory_device *device, const char *psrc) if ((device->pos + len) >= device->length) { /* reallocate buffer */ int newlen = device->length + (len + MBFL_MEMORY_DEVICE_ALLOC_SIZE)*sizeof(unsigned char); + if (newlen <= 0) { + /* overflow */ + return -1; + } unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char)); if (tmp == NULL) { return -1; @@ -254,6 +270,10 @@ mbfl_memory_device_strncat(mbfl_memory_device *device, const char *psrc, int len if ((device->pos + len) >= device->length) { /* reallocate buffer */ int newlen = device->length + len + MBFL_MEMORY_DEVICE_ALLOC_SIZE; + if (newlen <= 0) { + /* overflow */ + return -1; + } unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char)); if (tmp == NULL) { return -1; @@ -281,6 +301,10 @@ mbfl_memory_device_devcat(mbfl_memory_device *dest, mbfl_memory_device *src) if ((dest->pos + src->pos) >= dest->length) { /* reallocate buffer */ int newlen = dest->length + src->pos + MBFL_MEMORY_DEVICE_ALLOC_SIZE; + if (newlen <= 0) { + /* overflow */ + return -1; + } unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)dest->buffer, newlen*sizeof(unsigned char)); if (tmp == NULL) { return -1; @@ -336,6 +360,10 @@ mbfl_wchar_device_output(int c, void *data) unsigned int *tmp; newlen = device->length + device->allocsz; + if (newlen <= 0) { + /* overflow */ + return -1; + } tmp = (unsigned int *)mbfl_realloc((void *)device->buffer, newlen*sizeof(int)); if (tmp == NULL) { return -1; diff --git a/ext/standard/string.c b/ext/standard/string.c index abe4eb1aba..569452ca93 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -20,8 +20,6 @@ /* $Id$ */ -/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ - #include <stdio.h> #include "php.h" #include "php_rand.h" |