]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9a859a3)
fix integer overflow in length calculation
authorStanislav Malyshev <stas@php.net>
Mon, 17 Mar 2008 23:00:41 +0000 (23:00 +0000)
committerStanislav Malyshev <stas@php.net>
Mon, 17 Mar 2008 23:00:41 +0000 (23:00 +0000)
ext/standard/formatted_print.c patch | blob | history

diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c
index 4c507911bd14e7795a995649fb28e7ac0032e9ca..2d81fae2a568350f21cb348e9a7a388cd5213ec4 100644 (file)
--- a/ext/standard/formatted_print.c
+++ b/ext/standard/formatted_print.c
@@ -76,6 +76,7 @@ php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
        register int npad;
        int req_size;
        int copy_len;
+       int m_width;
 
        copy_len = (expprec ? MIN(max_width, len) : len);
        npad = min_width - copy_len;
@@ -86,11 +87,19 @@ php_sprintf_appendstring(char **buffer, int *pos, int *size, char *add,
        
        PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n",
                                  *buffer, *pos, *size, add, min_width, padding, alignment));
+       m_width = MAX(min_width, copy_len);
 
-       req_size = *pos + MAX(min_width, copy_len) + 1;
+       if(m_width > INT_MAX - *pos - 1) {
+               zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width);
+       }
+
+       req_size = *pos + m_width + 1;
 
        if (req_size > *size) {
                while (req_size > *size) {
+                       if(*size > INT_MAX/2) {
+                               zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size); 
+                       }
                        *size <<= 1;
                }
                PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
Unnamed repository; edit this file 'description' to name the repository.