#include <netinet/in.h>
#endif
+#define INC_OUTPUTPOS(a,b) \
+ if ((a) < 0 || ((INT_MAX - outputpos)/(b)) < (a)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow in format string", code); \
+ RETURN_FALSE; \
+ } \
+ outputpos += (a)*(b);
+
/* Whether machine is little endian */
char machine_little_endian;
switch ((int) code) {
case 'h':
case 'H':
- outputpos += (arg + 1) / 2; /* 4 bit per arg */
+ INC_OUTPUTPOS((arg + 1) / 2,1) /* 4 bit per arg */
break;
case 'a':
case 'c':
case 'C':
case 'x':
- outputpos += arg; /* 8 bit per arg */
+ INC_OUTPUTPOS(arg,1) /* 8 bit per arg */
break;
case 's':
case 'S':
case 'n':
case 'v':
- outputpos += arg * 2; /* 16 bit per arg */
+ INC_OUTPUTPOS(arg,2) /* 16 bit per arg */
break;
case 'i':
case 'I':
- outputpos += arg * sizeof(int);
+ INC_OUTPUTPOS(arg,sizeof(int))
break;
case 'l':
case 'L':
case 'N':
case 'V':
- outputpos += arg * 4; /* 32 bit per arg */
+ INC_OUTPUTPOS(arg,4) /* 32 bit per arg */
break;
case 'f':
- outputpos += arg * sizeof(float);
+ INC_OUTPUTPOS(arg,sizeof(float))
break;
case 'd':
- outputpos += arg * sizeof(double);
+ INC_OUTPUTPOS(arg,sizeof(double))
break;
case 'X':
sprintf(n, "%.*s", namelen, name);
}
+ if (size != 0 && size != -1 && INT_MAX - size + 1 < inputpos) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type);
+ inputpos = 0;
+ }
+
if ((inputpos + size) <= inputlen) {
switch ((int) type) {
case 'a':
}
inputpos += size;
+ if (inputpos < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
+ inputpos = 0;
+ }
} else if (arg < 0) {
/* Reached end of input for '*' repeater */
break;
#define LONG_MIN (- LONG_MAX - 1)
#endif
+#ifndef INT_MAX
+#define INT_MAX 2147483647
+#endif
+
+#ifndef INT_MIN
+#define INT_MIN (- INT_MAX - 1)
+#endif
+
#define PHP_GCC_VERSION ZEND_GCC_VERSION
#define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC
#define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
projects / php / commitdiff