Bug #73218: add mitigation for ICU int overflow

author Stanislav Malyshev <stas@php.net>

Wed, 5 Oct 2016 05:40:09 +0000 (22:40 -0700)

committer Anatol Belski <ab@php.net>

Thu, 13 Oct 2016 23:41:06 +0000 (01:41 +0200)
author Stanislav Malyshev <stas@php.net>
Wed, 5 Oct 2016 05:40:09 +0000 (22:40 -0700)
committer Anatol Belski <ab@php.net>
Thu, 13 Oct 2016 23:41:06 +0000 (01:41 +0200)
diff --git a/ext/intl/resourcebundle/resourcebundle_class.c b/ext/intl/resourcebundle/resourcebundle_class.c

index fd255d57cd6b32ea3f12f42821e8688bf4a4047e..47d9bf0403de0eb2157027c5992d3be60b93ea86 100644 (file)
--- a/ext/intl/resourcebundle/resourcebundle_class.c
+++ b/ext/intl/resourcebundle/resourcebundle_class.c
@@ -101,6 +101,13 @@ static int resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_constr
                 locale = intl_locale_get_default();
         }
  
+       if (bundlename_len >= MAXPATHLEN) {
+               intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "Bundle name too long", 0 );
+               zval_dtor(return_value);
+               ZVAL_NULL(return_value);
+               return FAILURE;
+       }
+
         if (fallback) {
                 rb->me = ures_open(bundlename, locale, &INTL_DATA_ERROR_CODE(rb));
         } else {
@@ -331,6 +338,11 @@ PHP_FUNCTION( resourcebundle_locales )
                 RETURN_FALSE;
         }
  
+       if (bundlename_len >= MAXPATHLEN) {
+               intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "resourcebundle_locales: bundle name too long", 0 );
+               RETURN_FALSE;
+       }
+
         if(bundlename_len == 0) {
                 // fetch default locales list
                 bundlename = NULL;
author	Stanislav Malyshev <stas@php.net>
	Wed, 5 Oct 2016 05:40:09 +0000 (22:40 -0700)
committer	Anatol Belski <ab@php.net>
	Thu, 13 Oct 2016 23:41:06 +0000 (01:41 +0200)