Add more mbfl string size checks (bug #73505)

diff --git a/NEWS b/NEWS
index 6469689e1b60d13e9ee35de69bb81f31fed95d24..eb9ab1b5308197e1881e0f12e334c07fc8f4f1f1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,10 @@ PHP                                                                        NEWS
 
 08 Dec 2016, PHP 5.6.29
 
+- Mbstring:
+  . Fixed bug #73505 (string length overflow in mbfl_memory_device_output
+    function). (Stas)
+
 - Mysqlnd:
   . Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*). (cmb)
 

diff --git a/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c b/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c
index 7509ef1a6a1f523a85483faeb93a304277b4b3c3..c4d4e7fe37fbd57b311376b59bc46ba74c84a5ce 100644 (file)
--- a/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c
@@ -5,7 +5,7 @@
  * LICENSE NOTICES
  *
  * This file is part of "streamable kanji code filter and converter",
- * which is distributed under the terms of GNU Lesser General Public 
+ * which is distributed under the terms of GNU Lesser General Public
  * License (version 2) as published by the Free Software Foundation.
  *
  * This software is distributed in the hope that it will be useful,
@@ -146,6 +146,10 @@ mbfl_memory_device_output(int c, void *data)
                unsigned char *tmp;
 
                newlen = device->length + device->allocsz;
+               if (newlen <= 0) {
+                       /* overflow */
+                       return -1;
+               }
                tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
                if (tmp == NULL) {
                        return -1;
@@ -169,6 +173,10 @@ mbfl_memory_device_output2(int c, void *data)
                unsigned char *tmp;
 
                newlen = device->length + device->allocsz;
+               if (newlen <= 0) {
+                       /* overflow */
+                       return -1;
+               }
                tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
                if (tmp == NULL) {
                        return -1;
@@ -194,6 +202,10 @@ mbfl_memory_device_output4(int c, void* data)
                unsigned char *tmp;
 
                newlen = device->length + device->allocsz;
+               if (newlen <= 0) {
+                       /* overflow */
+                       return -1;
+               }
                tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
                if (tmp == NULL) {
                        return -1;
@@ -227,6 +239,10 @@ mbfl_memory_device_strcat(mbfl_memory_device *device, const char *psrc)
        if ((device->pos + len) >= device->length) {
                /* reallocate buffer */
                int newlen = device->length + (len + MBFL_MEMORY_DEVICE_ALLOC_SIZE)*sizeof(unsigned char);
+               if (newlen <= 0) {
+                       /* overflow */
+                       return -1;
+               }
                unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
                if (tmp == NULL) {
                        return -1;
@@ -254,6 +270,10 @@ mbfl_memory_device_strncat(mbfl_memory_device *device, const char *psrc, int len
        if ((device->pos + len) >= device->length) {
                /* reallocate buffer */
                int newlen = device->length + len + MBFL_MEMORY_DEVICE_ALLOC_SIZE;
+               if (newlen <= 0) {
+                       /* overflow */
+                       return -1;
+               }
                unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
                if (tmp == NULL) {
                        return -1;
@@ -281,6 +301,10 @@ mbfl_memory_device_devcat(mbfl_memory_device *dest, mbfl_memory_device *src)
        if ((dest->pos + src->pos) >= dest->length) {
                /* reallocate buffer */
                int newlen = dest->length + src->pos + MBFL_MEMORY_DEVICE_ALLOC_SIZE;
+               if (newlen <= 0) {
+                       /* overflow */
+                       return -1;
+               }
                unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)dest->buffer, newlen*sizeof(unsigned char));
                if (tmp == NULL) {
                        return -1;
@@ -336,6 +360,10 @@ mbfl_wchar_device_output(int c, void *data)
                unsigned int *tmp;
 
                newlen = device->length + device->allocsz;
+               if (newlen <= 0) {
+                       /* overflow */
+                       return -1;
+               }
                tmp = (unsigned int *)mbfl_realloc((void *)device->buffer, newlen*sizeof(int));
                if (tmp == NULL) {
                        return -1;

diff --git a/ext/standard/string.c b/ext/standard/string.c
index abe4eb1aba969f312671732d9ccd257782c79652..569452ca93d18f91fb63b85c26c99ddb958171b9 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -20,8 +20,6 @@
 
 /* $Id$ */
 
-/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
-
 #include <stdio.h>
 #include "php.h"
 #include "php_rand.h"