Fix bug #72551 and bug #72552 - check before converting size_t->int

1 files changed, 8 insertions, 0 deletions

diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index fb5c638c97..73acaa29f2 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -645,6 +645,10 @@ PHP_FUNCTION(mcrypt_generic)
 		memset(ZSTR_VAL(data_str), 0, data_size);
 		memcpy(ZSTR_VAL(data_str), data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_str = zend_string_alloc(data_size, 0);
 		memset(ZSTR_VAL(data_str), 0, data_size);
@@ -695,6 +699,10 @@ PHP_FUNCTION(mdecrypt_generic)
 		memset(data_s, 0, data_size);
 		memcpy(data_s, data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_s = emalloc(data_size + 1);
 		memset(data_s, 0, data_size);