]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 256de92)
Corrected fix for CVE-2007-2872
authorIlia Alshanetsky <iliaa@php.net>
Sun, 3 Jun 2007 18:47:10 +0000 (18:47 +0000)
committerIlia Alshanetsky <iliaa@php.net>
Sun, 3 Jun 2007 18:47:10 +0000 (18:47 +0000)
NEWS patch | blob | history
ext/standard/string.c patch | blob | history
ext/standard/tests/strings/chunk_split.phpt patch | blob | history

diff --git a/NEWS b/NEWS
index 29e2d39bd65b9c224ffe3ad63c4e3689898d82aa..742f1b3d4f8910221e7f7e2d256b099779cadd5a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2007, PHP 5.2.4
 - Improved fix for MOPB-02-2007. (Ilia)
+- Corrected fix for CVE-2007-2872. (Ilia)
 - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION
   GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING (Pierre)
 - Fixed bug #41518 (file_exists() warns of open_basedir restriction on 
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 7c4b07efc1749e566e7f9f598ec361c6c35e40df..2d7a7f02d2f4e915194a097db524d6cdccdeb3f1 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -1956,18 +1956,20 @@ static char *php_chunk_split(char *src, int srclen, char *end, int endlen, int c
        char *p, *q;
        int chunks; /* complete chunks! */
        int restlen;
-       int out_len; 
+       float out_len; 
 
        chunks = srclen / chunklen;
        restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
-       out_len = (srclen + (chunks + 1) * endlen + 1);
+       out_len = chunks + 1;
+       out_len *= endlen;
+       out_len += srclen + 1;
 
        if (out_len > INT_MAX || out_len <= 0) {
                return NULL;
        }
 
-       dest = safe_emalloc(out_len, sizeof(char), 0);
+       dest = safe_emalloc((int)out_len, sizeof(char), 0);
 
        for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
                memcpy(q, p, chunklen);
diff --git a/ext/standard/tests/strings/chunk_split.phpt b/ext/standard/tests/strings/chunk_split.phpt
index cfb817def1117dadfb7827f0c62f6e663d751606..f25cee9457f1692a053684b2a510279e7c557bf2 100644 (file)
--- a/ext/standard/tests/strings/chunk_split.phpt
+++ b/ext/standard/tests/strings/chunk_split.phpt
@@ -12,6 +12,12 @@ $b=1;
 $c=str_repeat("B", 65535);
 var_dump(chunk_split($a,$b,$c));
 
+$a=str_repeat("B", 65536);
+$b=1;
+$c=str_repeat("B", 65536);
+var_dump(chunk_split($a,$b,$c));
+
+
 ?>
 --EXPECT--
 a-b-c-
@@ -25,3 +31,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
 test|end
 bool(false)
+bool(false)
Unnamed repository; edit this file 'description' to name the repository.