Really fix bug #73017

1 files changed, 10 insertions, 4 deletions

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 9acbe03792..cb6a8b4315 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -883,11 +883,12 @@ PHP_FUNCTION(wordwrap)
 {
 	const char *text, *breakchar = "\n";
 	char *newtext;
-	int textlen, breakcharlen = 1, newtextlen, chk;
+	int textlen, breakcharlen = 1, chk;
 	size_t alloced;
-	long current = 0, laststart = 0, lastspace = 0;
+	size_t current = 0, laststart = 0, lastspace = 0;
 	long linelength = 75;
 	zend_bool docut = 0;
+	size_t newtextlen;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|lsb", &text, &textlen, &linelength, &breakchar, &breakcharlen, &docut) == FAILURE) {
 		return;
@@ -907,6 +908,11 @@ PHP_FUNCTION(wordwrap)
 		RETURN_FALSE;
 	}
 
+	if (linelength < 0 || linelength > INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be between 0 and %d", INT_MAX);
+		RETURN_FALSE;
+	}
+
 	/* Special case for a single-character break as it needs no
 	   additional storage space */
 	if (breakcharlen == 1 && !docut) {
@@ -934,10 +940,10 @@ PHP_FUNCTION(wordwrap)
 		if (linelength > 0) {
 			chk = (int)(textlen/linelength + 1);
 			newtext = safe_emalloc(chk, breakcharlen, textlen + 1);
-			alloced = textlen + chk * breakcharlen + 1;
+			alloced = (size_t)textlen + chk * (size_t)breakcharlen + 1;
 		} else {
 			chk = textlen;
-			alloced = textlen * (breakcharlen + 1) + 1;
+			alloced = (size_t)textlen * ((size_t)breakcharlen + 1) + 1;
 			newtext = safe_emalloc(textlen, (breakcharlen + 1), 1);
 		}