Fix bug #74603 - use correct buffer size

author Stanislav Malyshev <stas@php.net>

Tue, 20 Jun 2017 07:09:01 +0000 (00:09 -0700)

committer Stanislav Malyshev <stas@php.net>

Wed, 5 Jul 2017 02:00:03 +0000 (19:00 -0700)
author Stanislav Malyshev <stas@php.net>
Tue, 20 Jun 2017 07:09:01 +0000 (00:09 -0700)
committer Stanislav Malyshev <stas@php.net>
Wed, 5 Jul 2017 02:00:03 +0000 (19:00 -0700)
diff --git a/Zend/tests/bug74603.ini b/Zend/tests/bug74603.ini

new file mode 100644 (file)

index 0000000..8d74a57
--- /dev/null
+++ b/Zend/tests/bug74603.ini
@@ -0,0 +1 @@
+0=0&~2000000000
diff --git a/Zend/tests/bug74603.phpt b/Zend/tests/bug74603.phpt

new file mode 100644 (file)

index 0000000..b3194ec
--- /dev/null
+++ b/Zend/tests/bug74603.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability)
+--SKIPIF--
+<?php
+if (PHP_INT_MAX !== 2147483647)
+        die('skip for 32-bit only');
+--FILE--
+<?php
+var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(1) "0"
+}
diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y

index ea4771a1118604a0af667b65698973997b67fdf2..ad8a84dd2ce5a00359007ba78ba0e432d4b39b14 100644 (file)
--- a/Zend/zend_ini_parser.y
+++ b/Zend/zend_ini_parser.y
@@ -53,7 +53,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
  {
         int i_result;
         int i_op1, i_op2;
-       char str_result[MAX_LENGTH_OF_LONG];
+       char str_result[MAX_LENGTH_OF_LONG+1];
  
         i_op1 = atoi(Z_STRVAL_P(op1));
         free(Z_STRVAL_P(op1));
author	Stanislav Malyshev <stas@php.net>
	Tue, 20 Jun 2017 07:09:01 +0000 (00:09 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Wed, 5 Jul 2017 02:00:03 +0000 (19:00 -0700)
Zend/tests/bug74603.ini	[new file with mode: 0644]	patch \| blob
Zend/tests/bug74603.phpt	[new file with mode: 0644]	patch \| blob
Zend/zend_ini_parser.y		patch \| blob \| history