]> granicus.if.org Git - php/commitdiff
Fix bug #73276 - crash in openssl_random_pseudo_bytes function
authorStanislav Malyshev <stas@php.net>
Tue, 11 Oct 2016 20:37:47 +0000 (13:37 -0700)
committerAnatol Belski <ab@php.net>
Wed, 12 Oct 2016 13:55:42 +0000 (15:55 +0200)
(cherry picked from commit 85a22a0af0722ef3a8d49a056a0b2b18be1fb981)

ext/openssl/openssl.c

index e2f9fafacf3b122118923d23f5de1dceb0b8be0b..bf1f0c51a98cca2098c2cc812120e04f54dc1aad 100644 (file)
@@ -5546,7 +5546,11 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
                return;
        }
 
-       if (buffer_length <= 0) {
+       if (buffer_length <= 0
+#ifndef PHP_WIN32
+               || ZEND_LONG_INT_OVFL(buffer_length)
+#endif
+                       ) {
                RETURN_FALSE;
        }
 
@@ -5570,6 +5574,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
 
        PHP_OPENSSL_CHECK_LONG_TO_INT(buffer_length, length);
        PHP_OPENSSL_RAND_ADD_TIME();
+       /* FIXME loop if requested size > INT_MAX */
        if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) {
                zend_string_release(buffer);
                if (zstrong_result_returned) {