More int->size_t and string overflow fixes

author: Stanislav Malyshev <stas@php.net> 2016-11-05 13:20:24 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-11-05 13:22:17 -0700
commit: 669763d88a8bb9707a45f0937a129b63a161d2f0 (patch)
tree: 88a1fc19403a330c9a50e7095ee0a8844445b993 /Zend/zend_multiply.h
parent: d858b4c77fa28ff9b0a597141a58f51803bafc2b (diff)
download: php-git-669763d88a8bb9707a45f0937a129b63a161d2f0.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/Zend/zend_multiply.h b/Zend/zend_multiply.h
index 8a93990466..da0bc16933 100644
--- a/Zend/zend_multiply.h
+++ b/Zend/zend_multiply.h
@@ -278,6 +278,19 @@ static zend_always_inline size_t zend_safe_address_guarded(size_t nmemb, size_t
 	return ret;
 }
 
+/* A bit more generic version of the same */
+static zend_always_inline size_t zend_safe_addmult(size_t nmemb, size_t size, size_t offset, const char *message)
+{
+	int overflow;
+	size_t ret = zend_safe_address(nmemb, size, offset, &overflow);
+
+	if (UNEXPECTED(overflow)) {
+		zend_error_noreturn(E_ERROR, "Possible integer overflow in %s (%zu * %zu + %zu)", message, nmemb, size, offset);
+		return 0;
+	}
+	return ret;
+}
+
 #endif /* ZEND_MULTIPLY_H */
 
 /*
author	Stanislav Malyshev <stas@php.net>	2016-11-05 13:20:24 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-11-05 13:22:17 -0700
commit	669763d88a8bb9707a45f0937a129b63a161d2f0 (patch)
tree	88a1fc19403a330c9a50e7095ee0a8844445b993 /Zend/zend_multiply.h
parent	d858b4c77fa28ff9b0a597141a58f51803bafc2b (diff)
download	php-git-669763d88a8bb9707a45f0937a129b63a161d2f0.tar.gz