diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-10-03 00:09:02 -0700 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-10-12 19:48:25 +0200 |
| commit | 74b5662536ccdf9b7b02c495f02a27c64e27fff7 (patch) | |
| tree | 28e8f2701e6b110e8306d81527f0f53b84f82bd8 /ext/bcmath/libbcmath/src/init.c | |
| parent | f42cbd749cde1f91274c1d03df9024baba141a8f (diff) | |
| download | php-git-74b5662536ccdf9b7b02c495f02a27c64e27fff7.tar.gz | |
Fix bug #73190: memcpy negative parameter _bc_new_num_ex
(cherry picked from commit 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6)
Diffstat (limited to 'ext/bcmath/libbcmath/src/init.c')
| -rw-r--r-- | ext/bcmath/libbcmath/src/init.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c index e1aeeddf89..d3a2e580e5 100644 --- a/ext/bcmath/libbcmath/src/init.c +++ b/ext/bcmath/libbcmath/src/init.c @@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent) int length, scale, persistent; { bc_num temp; - + /* PHP Change: add length check */ + if ((size_t)length+(size_t)scale > INT_MAX) { + zend_error(E_ERROR, "Result too long, max is %d", INT_MAX); + } /* PHP Change: malloc() -> pemalloc(), removed free_list code */ temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent); #if 0 |