diff options
| author | Anatol Belski <ab@php.net> | 2015-08-25 22:47:23 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2015-08-26 16:39:53 +0200 |
| commit | 1553ce2093bb959f926cc43a8bf6c3c36d5b0223 (patch) | |
| tree | 1d832402c05c5db4985ebab0590e6b542a4635ab | |
| parent | ce3e3f7884e71d9bfc34b3bef9dbc6751cdbf475 (diff) | |
| download | php-git-1553ce2093bb959f926cc43a8bf6c3c36d5b0223.tar.gz | |
add some range checks to pcre
| -rw-r--r-- | ext/pcre/php_pcre.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 4da75ec4e8..55ca8fa70e 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -613,6 +613,11 @@ static void php_do_pcre_match(INTERNAL_FUNCTION_PARAMETERS, int global) /* {{{ * ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE); #endif + if (ZEND_SIZE_T_INT_OVFL(ZSTR_LEN(subject))) { + php_error_docref(NULL, E_WARNING, "Subject is too long"); + RETURN_FALSE; + } + /* Compile regex or get it from cache. */ if ((pce = pcre_get_compiled_regex_cache(regex)) == NULL) { RETURN_FALSE; @@ -1355,6 +1360,11 @@ static zend_string *php_replace_in_subject(zval *regex, zval *replace, zval *sub /* FIXME: This might need to be changed to ZSTR_EMPTY_ALLOC(). Check if this zval could be dtor()'ed somehow */ ZVAL_EMPTY_STRING(&empty_replace); + if (ZEND_SIZE_T_INT_OVFL(ZSTR_LEN(subject_str))) { + php_error_docref(NULL, E_WARNING, "Subject is too long"); + return NULL; + } + /* If regex is an array */ if (Z_TYPE_P(regex) == IS_ARRAY) { replace_value = replace; @@ -1699,6 +1709,11 @@ static PHP_FUNCTION(preg_split) ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE); #endif + if (ZEND_SIZE_T_INT_OVFL(ZSTR_LEN(subject))) { + php_error_docref(NULL, E_WARNING, "Subject is too long"); + RETURN_FALSE; + } + /* Compile regex or get it from cache. */ if ((pce = pcre_get_compiled_regex_cache(regex)) == NULL) { RETURN_FALSE; |