add some range checks to ext/dom

author Anatol Belski <ab@php.net>

Tue, 25 Aug 2015 15:54:27 +0000 (17:54 +0200)

committer Anatol Belski <ab@php.net>

Wed, 26 Aug 2015 14:39:50 +0000 (16:39 +0200)
author Anatol Belski <ab@php.net>
Tue, 25 Aug 2015 15:54:27 +0000 (17:54 +0200)
committer Anatol Belski <ab@php.net>
Wed, 26 Aug 2015 14:39:50 +0000 (16:39 +0200)
diff --git a/ext/dom/document.c b/ext/dom/document.c

index 64d3ca4ad63569352ac213245e24ac67b2056f5b..6db61a3794a4398e783e90a2860ccfbb92f9d4d9 100644 (file)
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -1493,6 +1493,14 @@ static void dom_parse_document(INTERNAL_FUNCTION_PARAMETERS, int mode) {
                 php_error_docref(NULL, E_WARNING, "Empty string supplied as input");
                 RETURN_FALSE;
         }
+       if (ZEND_SIZE_T_INT_OVFL(source_len)) {
+               php_error_docref(NULL, E_WARNING, "Input string is too long");
+               RETURN_FALSE;
+       }
+       if (ZEND_LONG_EXCEEDS_INT(options)) {
+               php_error_docref(NULL, E_WARNING, "Invalid options");
+               RETURN_FALSE;
+       }
  
         newdoc = dom_document_parser(id, mode, source, source_len, options);
  
@@ -2001,6 +2009,11 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
                 RETURN_FALSE;
         }
  
+       if (ZEND_LONG_EXCEEDS_INT(options)) {
+               php_error_docref(NULL, E_WARNING, "Invalid options");
+               RETURN_FALSE;
+       }
+
         if (mode == DOM_LOAD_FILE) {
                 if (CHECK_NULL_PATH(source, source_len)) {
                         php_error_docref(NULL, E_WARNING, "Invalid file source");
@@ -2009,7 +2022,11 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
                 ctxt = htmlCreateFileParserCtxt(source, NULL);
         } else {
                 source_len = xmlStrlen((xmlChar *) source);
-               ctxt = htmlCreateMemoryParserCtxt(source, source_len);
+               if (ZEND_SIZE_T_INT_OVFL(source_len)) {
+                       php_error_docref(NULL, E_WARNING, "Input string is too long");
+                       RETURN_FALSE;
+               }
+               ctxt = htmlCreateMemoryParserCtxt(source, (int)source_len);
         }
  
         if (!ctxt) {
@@ -2017,7 +2034,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
         }
  
         if (options) {
-               htmlCtxtUseOptions(ctxt, options);
+               htmlCtxtUseOptions(ctxt, (int)options);
         }
  
         ctxt->vctxt.error = php_libxml_ctx_error;
author	Anatol Belski <ab@php.net>
	Tue, 25 Aug 2015 15:54:27 +0000 (17:54 +0200)
committer	Anatol Belski <ab@php.net>
	Wed, 26 Aug 2015 14:39:50 +0000 (16:39 +0200)