Fix bug #72138 - Integer Overflow in Length of String-typed ZVAL

author Stanislav Malyshev <stas@php.net>

Tue, 14 Jun 2016 08:03:03 +0000 (01:03 -0700)

committer Stanislav Malyshev <stas@php.net>

Tue, 14 Jun 2016 08:03:03 +0000 (01:03 -0700)
author Stanislav Malyshev <stas@php.net>
Tue, 14 Jun 2016 08:03:03 +0000 (01:03 -0700)
committer Stanislav Malyshev <stas@php.net>
Tue, 14 Jun 2016 08:03:03 +0000 (01:03 -0700)
diff --git a/NEWS b/NEWS

index 37907b393f037f4c0d140212e4224a0ee9bcecc6..3b0153bac20d4e690b77ea8c3c90c25780b438f3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,9 @@ PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? 2016, PHP 5.6.24
  
+- Core:
+  . Fix bug #72138 (Integer Overflow in Length of String-typed ZVAL). (Stas)
+
  - OpenSSL:
    . Fixed bug #71915 (openssl_random_pseudo_bytes is not fork-safe).
      (Jakub Zelenka)
diff --git a/ext/standard/string.c b/ext/standard/string.c

index d5f83e7d0f49e6a3c3ba3036f626da06d721ea68..fa7094510cbef501b99aa12630caa96a22d35dc9 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3624,6 +3624,9 @@ PHPAPI int php_char_to_str_ex(char *str, uint len, char from, char *to, int to_l
         }
  
         Z_STRLEN_P(result) = len + (char_count * (to_len - 1));
+       if (Z_STRLEN_P(result) < 0) {
+               zend_error(E_ERROR, "String size overflow");
+       }
         Z_STRVAL_P(result) = target = safe_emalloc(char_count, to_len, len + 1);
         Z_TYPE_P(result) = IS_STRING;
author	Stanislav Malyshev <stas@php.net>
	Tue, 14 Jun 2016 08:03:03 +0000 (01:03 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Tue, 14 Jun 2016 08:03:03 +0000 (01:03 -0700)
NEWS		patch \| blob \| history
ext/standard/string.c		patch \| blob \| history