Fix bug #73276 - crash in openssl_random_pseudo_bytes function

author Stanislav Malyshev <stas@php.net>

Tue, 11 Oct 2016 20:37:47 +0000 (13:37 -0700)

committer Anatol Belski <ab@php.net>

Wed, 12 Oct 2016 13:55:42 +0000 (15:55 +0200)
author Stanislav Malyshev <stas@php.net>
Tue, 11 Oct 2016 20:37:47 +0000 (13:37 -0700)
committer Anatol Belski <ab@php.net>
Wed, 12 Oct 2016 13:55:42 +0000 (15:55 +0200)
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c

index e2f9fafacf3b122118923d23f5de1dceb0b8be0b..bf1f0c51a98cca2098c2cc812120e04f54dc1aad 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -5546,7 +5546,11 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
                 return;
         }
  
-       if (buffer_length <= 0) {
+       if (buffer_length <= 0
+#ifndef PHP_WIN32
+               || ZEND_LONG_INT_OVFL(buffer_length)
+#endif
+                       ) {
                 RETURN_FALSE;
         }
  
@@ -5570,6 +5574,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
  
         PHP_OPENSSL_CHECK_LONG_TO_INT(buffer_length, length);
         PHP_OPENSSL_RAND_ADD_TIME();
+       /* FIXME loop if requested size > INT_MAX */
         if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) {
                 zend_string_release(buffer);
                 if (zstrong_result_returned) {
author	Stanislav Malyshev <stas@php.net>
	Tue, 11 Oct 2016 20:37:47 +0000 (13:37 -0700)
committer	Anatol Belski <ab@php.net>
	Wed, 12 Oct 2016 13:55:42 +0000 (15:55 +0200)