diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-08-30 01:53:27 +0200 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2016-08-30 02:05:45 +0200 |
commit | 207dab585aadd9f320976a0895734d7d9ca7b862 (patch) | |
tree | f6079c6d8d5e582625da6fc3aecd666ecc15665a | |
parent | c7b4cd1a51736b15d095b6b540f17076a0a8433d (diff) | |
download | php-git-207dab585aadd9f320976a0895734d7d9ca7b862.tar.gz |
Fix #71882: Negative ftruncate() on php://memory exhausts memory
We must not pass negative sizes to a size_t parameter.
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/standard/file.c | 5 | ||||
-rw-r--r-- | ext/standard/tests/file/bug71882.phpt | 11 |
3 files changed, 18 insertions, 0 deletions
@@ -48,6 +48,8 @@ PHP NEWS . Fixed bug #72278 (getimagesize returning FALSE on valid jpg). (cmb) . Fixed bug #65550 (get_browser() incorrectly parses entries with "+" sign). (cmb) + . Fixed bug #71882 (Negative ftruncate() on php://memory exhausts memory). + (cmb) - XML: . Fixed bug #72085 (SEGV on unknown address zif_xml_parse). (cmb) diff --git a/ext/standard/file.c b/ext/standard/file.c index d8471fff1c..d346ed9e92 100644 --- a/ext/standard/file.c +++ b/ext/standard/file.c @@ -1512,6 +1512,11 @@ PHP_NAMED_FUNCTION(php_if_ftruncate) RETURN_FALSE; } + if (size < 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Negative size is not supported"); + RETURN_FALSE; + } + PHP_STREAM_TO_ZVAL(stream, &fp); if (!php_stream_truncate_supported(stream)) { diff --git a/ext/standard/tests/file/bug71882.phpt b/ext/standard/tests/file/bug71882.phpt new file mode 100644 index 0000000000..ae0137b599 --- /dev/null +++ b/ext/standard/tests/file/bug71882.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #71882 (Negative ftruncate() on php://memory exhausts memory) +--FILE-- +<?php +$fd = fopen("php://memory", "w+"); +ftruncate($fd, -1); +?> +==DONE== +--EXPECTF-- +Warning: ftruncate(): Negative size is not supported in %s%ebug71882.php on line %d +==DONE== |