From 3810e7b362e7bdef00ad33ae683a49aa7ab19e0d Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 12 Jul 2016 23:13:52 -0700
Subject: Fix bug #72551 and bug #72552 - check before converting size_t->int

---
 ext/mcrypt/mcrypt.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'ext/mcrypt/mcrypt.c')

diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index fb5c638c97..73acaa29f2 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -645,6 +645,10 @@ PHP_FUNCTION(mcrypt_generic)
 		memset(ZSTR_VAL(data_str), 0, data_size);
 		memcpy(ZSTR_VAL(data_str), data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_str = zend_string_alloc(data_size, 0);
 		memset(ZSTR_VAL(data_str), 0, data_size);
@@ -695,6 +699,10 @@ PHP_FUNCTION(mdecrypt_generic)
 		memset(data_s, 0, data_size);
 		memcpy(data_s, data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_s = emalloc(data_size + 1);
 		memset(data_s, 0, data_size);
-- 
cgit v1.2.1