MFB: Corrected fix for CVE-2007-2872

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 53791b0868929eedaabe5da88268e62c5e24e3a8..e7623bc7fbd9c10c119c3526d0845c09b52185b3 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3083,7 +3083,7 @@ static char* php_chunk_split(char *src, int srclen, char *end, int endlen, int c
        int chunks; /* complete chunks! */
        int restlen;
        int charsize = sizeof(char);
-       int out_len;
+       float out_len;
 
        if (str_type == IS_UNICODE) {
                charsize = sizeof(UChar);
@@ -3092,13 +3092,15 @@ static char* php_chunk_split(char *src, int srclen, char *end, int endlen, int c
        chunks = srclen / chunklen;
        restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
-       out_len = (srclen + (chunks + 1) * endlen + 1);
+       out_len = chunks + 1;
+       out_len *= endlen;
+       out_len += srclen + 1;
 
        if ((out_len > INT_MAX || out_len <= 0) || ((out_len * charsize) > INT_MAX || (out_len * charsize) <= 0)) {
                return NULL;
        }
 
-       dest = safe_emalloc(out_len, charsize, 0);
+       dest = safe_emalloc((int)out_len, charsize, 0);
 
        for (p = src, q = dest; p < (src + charsize * (srclen - chunklen + 1)); ) {
                memcpy(q, p, chunklen * charsize);

diff --git a/ext/standard/tests/strings/chunk_split.phpt b/ext/standard/tests/strings/chunk_split.phpt
index cfb817def1117dadfb7827f0c62f6e663d751606..f25cee9457f1692a053684b2a510279e7c557bf2 100644 (file)
--- a/ext/standard/tests/strings/chunk_split.phpt
+++ b/ext/standard/tests/strings/chunk_split.phpt
@@ -12,6 +12,12 @@ $b=1;
 $c=str_repeat("B", 65535);
 var_dump(chunk_split($a,$b,$c));
 
+$a=str_repeat("B", 65536);
+$b=1;
+$c=str_repeat("B", 65536);
+var_dump(chunk_split($a,$b,$c));
+
+
 ?>
 --EXPECT--
 a-b-c-
@@ -25,3 +31,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
 test|end
 bool(false)
+bool(false)