- fix possible Dechunking Filter Buffer Overflow

diff --git a/NEWS b/NEWS
index e260a4722c45ee383e82bd0dec380493737565d8..73982130fe1c5d50d92dbf6163e84e4456983d73 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ PHP                                                                        NEWS
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)
 
+- Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser.
+  (Pierre)
 - Fixed a possible arbitrary memory access inside sqlite extension. Reported 
   by Mateusz Kocielski. (Ilia)
 - Fixed string format validation inside phar extension. Reported by Stefan

diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index 9fa3a1719903ae39fc64b0e35fb1e9e85cd0aa67..ae7e03022f80963a23d5f9c89bac97ee4a5d9937 100644 (file)
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -1914,7 +1914,7 @@ typedef enum _php_chunked_filter_state {
 
 typedef struct _php_chunked_filter_data {
        php_chunked_filter_state state;
-       int chunk_size;
+       size_t chunk_size;
        int persistent;
 } php_chunked_filter_data;
 
@@ -1991,7 +1991,7 @@ static int php_dechunk(char *buf, int len, php_chunked_filter_data *data)
                                        continue;
                                }
                        case CHUNK_BODY:
-                               if (end - p >= data->chunk_size) {
+                               if ((size_t) (end - p) >= data->chunk_size) {
                                        if (p != out) {
                                                memmove(out, p, data->chunk_size);
                                        }