Fix bug #72114 - int/size_t confusion in fread

author Stanislav Malyshev <stas@php.net>

Tue, 10 May 2016 04:55:29 +0000 (21:55 -0700)

committer Stanislav Malyshev <stas@php.net>

Tue, 10 May 2016 04:55:29 +0000 (21:55 -0700)
author Stanislav Malyshev <stas@php.net>
Tue, 10 May 2016 04:55:29 +0000 (21:55 -0700)
committer Stanislav Malyshev <stas@php.net>
Tue, 10 May 2016 04:55:29 +0000 (21:55 -0700)
diff --git a/ext/standard/file.c b/ext/standard/file.c

index 0abc022ca6b1558a3aee50963851c5d59fee96ff..e39c84f1cd41e536a35b5069f74443d66bae87b5 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -1758,6 +1758,12 @@ PHPAPI PHP_FUNCTION(fread)
                 RETURN_FALSE;
         }
  
+       if (len > INT_MAX) {
+               /* string length is int in 5.x so we can not read more than int */
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
+               RETURN_FALSE;
+       }
+
         Z_STRVAL_P(return_value) = emalloc(len + 1);
         Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
  
diff --git a/ext/standard/tests/file/bug72114.phpt b/ext/standard/tests/file/bug72114.phpt

new file mode 100644 (file)

index 0000000..5e591ee
--- /dev/null
+++ b/ext/standard/tests/file/bug72114.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
+--FILE--
+<?php
+ini_set('memory_limit', "2500M");
+$fp = fopen("/dev/zero", "r");
+fread($fp, 2147483648);
+?>
+Done
+--EXPECTF--
+Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
+Done
author	Stanislav Malyshev <stas@php.net>
	Tue, 10 May 2016 04:55:29 +0000 (21:55 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Tue, 10 May 2016 04:55:29 +0000 (21:55 -0700)
ext/standard/file.c		patch \| blob \| history
ext/standard/tests/file/bug72114.phpt	[new file with mode: 0644]	patch \| blob