]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6c621b1)
Extend the previously added large string concatenation validation
authorIlia Alshanetsky <iliaa@php.net>
Mon, 23 Nov 2009 04:12:36 +0000 (04:12 +0000)
committerIlia Alshanetsky <iliaa@php.net>
Mon, 23 Nov 2009 04:12:36 +0000 (04:12 +0000)
Zend/zend_operators.c patch | blob | history

diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
index 4d9210d0e6f81f641a3c5882cf8da5845c153ec8..bedef805bd3e2fd20b4122d47524e98d0b089727 100644 (file)
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1203,7 +1203,7 @@ ZEND_API int concat_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
        if (result==op1) {      /* special case, perform operations on result */
                uint res_len = op1->value.str.len + op2->value.str.len;
 
-               if (Z_STRLEN_P(result) < 0) {
+               if (Z_STRLEN_P(result) < 0 || (int) (Z_STRLEN_P(op1) + Z_STRLEN_P(op2)) < 0) {
                        efree(Z_STRVAL_P(result));
                        ZVAL_EMPTY_STRING(result);
                        zend_error(E_ERROR, "String size overflow");
Unnamed repository; edit this file 'description' to name the repository.