diff options
| author | Anatol Belski <ab@php.net> | 2015-08-25 21:33:38 +0200 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2015-08-26 16:39:52 +0200 |
| commit | ce3e3f7884e71d9bfc34b3bef9dbc6751cdbf475 (patch) | |
| tree | 0e10fc3c71e60d181d88f1453ca8935d4a4d0489 | |
| parent | 871acceace023130b6c650473d4f4425825c1d85 (diff) | |
| download | php-git-ce3e3f7884e71d9bfc34b3bef9dbc6751cdbf475.tar.gz | |
more range checks in ext/tidy
| -rw-r--r-- | ext/tidy/tidy.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index b5a78ee53b..cc76f165ac 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -577,6 +577,11 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil data = arg1; } + if (ZEND_SIZE_T_UINT_OVFL(ZSTR_LEN(data))) { + php_error_docref(NULL, E_WARNING, "Input string is too long"); + RETURN_FALSE; + } + doc = tidyCreate(); errbuf = emalloc(sizeof(TidyBuffer)); tidyBufInit(errbuf); @@ -608,7 +613,7 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil TidyBuffer buf; tidyBufInit(&buf); - tidyBufAttach(&buf, (byte *) ZSTR_VAL(data), ZSTR_LEN(data)); + tidyBufAttach(&buf, (byte *) ZSTR_VAL(data), (uint)ZSTR_LEN(data)); if (tidyParseBuffer(doc, &buf) < 0) { php_error_docref(NULL, E_WARNING, "%s", errbuf->bp); @@ -1158,10 +1163,15 @@ static int php_tidy_output_handler(void **nothing, php_output_context *output_co tidyOptSetBool(doc, TidyForceOutput, yes); tidyOptSetBool(doc, TidyMark, no); + if (ZEND_SIZE_T_UINT_OVFL(output_context->in.used)) { + php_error_docref(NULL, E_WARNING, "Input string is too long"); + return status; + } + TIDY_SET_DEFAULT_CONFIG(doc); tidyBufInit(&inbuf); - tidyBufAttach(&inbuf, (byte *) output_context->in.data, output_context->in.used); + tidyBufAttach(&inbuf, (byte *) output_context->in.data, (uint)output_context->in.used); if (0 <= tidyParseBuffer(doc, &inbuf) && 0 <= tidyCleanAndRepair(doc)) { tidyBufInit(&outbuf); @@ -1412,7 +1422,7 @@ static PHP_FUNCTION(tidy_get_config) break; case TidyBoolean: - add_assoc_bool(return_value, opt_name, (zend_long)opt_value); + add_assoc_bool(return_value, opt_name, opt_value ? 1 : 0); break; } } |