]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 24d741d)
Fixed bug #72849 - integer overflow in urlencode
authorStanislav Malyshev <stas@php.net>
Tue, 16 Aug 2016 22:58:05 +0000 (15:58 -0700)
committerStanislav Malyshev <stas@php.net>
Wed, 17 Aug 2016 05:55:42 +0000 (22:55 -0700)
ext/standard/url.c patch | blob | history

diff --git a/ext/standard/url.c b/ext/standard/url.c
index 4b52000f645cf91115fd569e50c159ff23d2142b..8e471e12d82fb4aa8b9a5d9bdee343ab0e6e4453 100644 (file)
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
                        *to++ = c;
                }
        }
+
+       if ((to-start) > INT_MAX) {
+               /* E_ERROR since most clients won't check for error, and this is rather rare condition */
+               php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
+       }
+
        *to = 0;
        if (new_length) {
                *new_length = to - start;
Unnamed repository; edit this file 'description' to name the repository.