- Fixed bug #54193 (Integer overflow in shmop_read())

author Felipe Pena <felipe@php.net>

Tue, 8 Mar 2011 13:11:14 +0000 (13:11 +0000)

committer Felipe Pena <felipe@php.net>

Tue, 8 Mar 2011 13:11:14 +0000 (13:11 +0000)
author Felipe Pena <felipe@php.net>
Tue, 8 Mar 2011 13:11:14 +0000 (13:11 +0000)
committer Felipe Pena <felipe@php.net>
Tue, 8 Mar 2011 13:11:14 +0000 (13:11 +0000)
diff --git a/NEWS b/NEWS

index 161d8c830c22a3abc70f19edfe102d780ebd6b10..a4dbaa109b05eb47a4cf6bf04b57ed1ccc4ef339 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? 2011, PHP 5.3.6
+- Shmop extension:
+  . Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe)
  
  03 Mar 2011, PHP 5.3.6RC2
  - Zend Engine:
diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c

index f88f4a34656d91955080afcbed741f5c87484e83..f96179aab71efe8a52570b6addf9679ee97062e4 100644 (file)
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -256,7 +256,7 @@ PHP_FUNCTION(shmop_read)
                 RETURN_FALSE;
         }
  
-       if (start + count > shmop->size || count < 0) {
+       if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) {
                 php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
                 RETURN_FALSE;
         }
author	Felipe Pena <felipe@php.net>
	Tue, 8 Mar 2011 13:11:14 +0000 (13:11 +0000)
committer	Felipe Pena <felipe@php.net>
	Tue, 8 Mar 2011 13:11:14 +0000 (13:11 +0000)
NEWS		patch \| blob \| history
ext/shmop/shmop.c		patch \| blob \| history