fix integer overflow in {stream,file}_{get,put}_contents()

author Michael Wallner <mike@php.net>

Wed, 2 Jul 2014 07:53:03 +0000 (09:53 +0200)

committer Michael Wallner <mike@php.net>

Wed, 2 Jul 2014 07:53:03 +0000 (09:53 +0200)
author Michael Wallner <mike@php.net>
Wed, 2 Jul 2014 07:53:03 +0000 (09:53 +0200)
committer Michael Wallner <mike@php.net>
Wed, 2 Jul 2014 07:53:03 +0000 (09:53 +0200)
diff --git a/ext/standard/file.c b/ext/standard/file.c

index 6bcaef78ca979cb4c57950e913479c19911e433d..708c3e29c5f25f38206672deaba6cf82f5af5def 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -518,7 +518,7 @@ PHP_FUNCTION(file_get_contents)
         char *contents;
         zend_bool use_include_path = 0;
         php_stream *stream;
-       int len;
+       long len;
         long offset = -1;
         long maxlen = PHP_STREAM_COPY_ALL;
         zval *zcontext = NULL;
@@ -550,6 +550,10 @@ PHP_FUNCTION(file_get_contents)
         }
  
         if ((len = php_stream_copy_to_mem(stream, &contents, maxlen, 0)) > 0) {
+               if (len > INT_MAX) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
+                       len = INT_MAX;
+               }
                 RETVAL_STRINGL(contents, len, 0);
         } else if (len == 0) {
                 RETVAL_EMPTY_STRING();
@@ -569,7 +573,7 @@ PHP_FUNCTION(file_put_contents)
         char *filename;
         int filename_len;
         zval *data;
-       int numbytes = 0;
+       long numbytes = 0;
         long flags = 0;
         zval *zcontext = NULL;
         php_stream_context *context = NULL;
@@ -621,6 +625,10 @@ PHP_FUNCTION(file_put_contents)
                         if (php_stream_copy_to_stream_ex(srcstream, stream, PHP_STREAM_COPY_ALL, &len) != SUCCESS) {
                                 numbytes = -1;
                         } else {
+                               if (len > LONG_MAX) {
+                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %lu to %ld bytes", (unsigned long) len, LONG_MAX);
+                                       len = LONG_MAX;
+                               }
                                 numbytes = len;
                         }
                         break;
@@ -636,7 +644,7 @@ PHP_FUNCTION(file_put_contents)
                         if (Z_STRLEN_P(data)) {
                                 numbytes = php_stream_write(stream, Z_STRVAL_P(data), Z_STRLEN_P(data));
                                 if (numbytes != Z_STRLEN_P(data)) {
-                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
+                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
                                         numbytes = -1;
                                 }
                         }
@@ -679,7 +687,7 @@ PHP_FUNCTION(file_put_contents)
                                 if (zend_std_cast_object_tostring(data, &out, IS_STRING TSRMLS_CC) == SUCCESS) {
                                         numbytes = php_stream_write(stream, Z_STRVAL(out), Z_STRLEN(out));
                                         if (numbytes != Z_STRLEN(out)) {
-                                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
+                                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
                                                 numbytes = -1;
                                         }
                                         zval_dtor(&out);
diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c

index bdb05ec9b86767b054b0cc1219722c40294b090a..b1b318044ea5f0b16a2d36346c6225ae188ed65c 100644 (file)
--- a/ext/standard/streamsfuncs.c
+++ b/ext/standard/streamsfuncs.c
@@ -407,7 +407,7 @@ PHP_FUNCTION(stream_get_contents)
         zval            *zsrc;
         long            maxlen          = PHP_STREAM_COPY_ALL,
                                 desiredpos      = -1L;
-       int                     len;
+       long            len;
         char            *contents       = NULL;
  
         if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ll", &zsrc, &maxlen, &desiredpos) == FAILURE) {
@@ -439,6 +439,10 @@ PHP_FUNCTION(stream_get_contents)
         len = php_stream_copy_to_mem(stream, &contents, maxlen, 0);
  
         if (contents) {
+               if (len > INT_MAX) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
+                       len = INT_MAX;
+               }
                 RETVAL_STRINGL(contents, len, 0);
         } else {
                 RETVAL_EMPTY_STRING();
author	Michael Wallner <mike@php.net>
	Wed, 2 Jul 2014 07:53:03 +0000 (09:53 +0200)
committer	Michael Wallner <mike@php.net>
	Wed, 2 Jul 2014 07:53:03 +0000 (09:53 +0200)
ext/standard/file.c		patch \| blob \| history
ext/standard/streamsfuncs.c		patch \| blob \| history