re-add range check

author: Anatol Belski <ab@php.net> 2016-07-05 12:09:22 +0200
committer: Anatol Belski <ab@php.net> 2016-07-05 15:15:20 +0200
commit: de643ead3ec0fe256d2b71649ba7d9c84e2e2102 (patch)
tree: e08725ccfa2624d17cf66f59bae349b7c8df29fd /ext/intl
parent: e395b62c51524427b225323f827efdc46eb0b9b0 (diff)
download: php-git-de643ead3ec0fe256d2b71649ba7d9c84e2e2102.tar.gz
1 files changed, 12 insertions, 3 deletions
diff --git a/ext/intl/uchar/uchar.c b/ext/intl/uchar/uchar.c
index abb3e59671..a7e5c17340 100644
--- a/ext/intl/uchar/uchar.c
+++ b/ext/intl/uchar/uchar.c
@@ -8,12 +8,21 @@
 
 static inline int convert_cp(UChar32* pcp, zval *zcp) {
 	zend_long cp = -1;
+
 	if (Z_TYPE_P(zcp) == IS_LONG) {
 		cp = Z_LVAL_P(zcp);
 	} else if (Z_TYPE_P(zcp) == IS_STRING) {
-		size_t i = 0;
-		U8_NEXT(Z_STRVAL_P(zcp), i, Z_STRLEN_P(zcp), cp);
-		if (i != Z_STRLEN_P(zcp)) {
+		int32_t i = 0;
+		size_t zcp_len = Z_STRLEN_P(zcp);
+
+		if (ZEND_SIZE_T_INT_OVFL(zcp_len)) {
+			intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR);
+			intl_error_set_custom_msg(NULL, "Input string is too long.", 0);
+			return FAILURE;
+		}
+
+		U8_NEXT(Z_STRVAL_P(zcp), i, zcp_len, cp);
+		if ((size_t)i != zcp_len) {
 			intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR);
 			intl_error_set_custom_msg(NULL, "Passing a UTF-8 character for codepoint requires a string which is exactly one UTF-8 codepoint long.", 0);
 			return FAILURE;
author	Anatol Belski <ab@php.net>	2016-07-05 12:09:22 +0200
committer	Anatol Belski <ab@php.net>	2016-07-05 15:15:20 +0200
commit	de643ead3ec0fe256d2b71649ba7d9c84e2e2102 (patch)
tree	e08725ccfa2624d17cf66f59bae349b7c8df29fd /ext/intl
parent	e395b62c51524427b225323f827efdc46eb0b9b0 (diff)
download	php-git-de643ead3ec0fe256d2b71649ba7d9c84e2e2102.tar.gz