Fixed bug #60206 (possible integer overflow in content_length)

diff --git a/NEWS b/NEWS
index 5a8189c4888cc7f75fcb1635966582992dc5a916..0130d1620ead6d0997cd1c6c3810ebf9372e4b4a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -31,6 +31,9 @@ PHP                                                                        NEWS
   . Fixed bug #60201 (SplFileObject::setCsvControl does not expose third
     argument via Reflection). (Peter)
 
+- SAPI:
+  . Fixed bug #60205 (possible integer overflow in content_length). (Laruence)
+
 20 Oct 2011, PHP 5.4.0 beta2
 - General improvements:
   . Improve the warning message of incompatible arguments. (Laruence) 

diff --git a/sapi/apache/mod_php5.c b/sapi/apache/mod_php5.c
index 16f7756d678a5a86fc42daa5c18a0d3d8f96ef8a..74148be30a130bde254de1fa7eeeaa73b1b92b4c 100644 (file)
--- a/sapi/apache/mod_php5.c
+++ b/sapi/apache/mod_php5.c
@@ -529,7 +529,7 @@ static void init_request_info(TSRMLS_D)
        SG(request_info).request_uri = r->uri;
        SG(request_info).request_method = (char *)r->method;
        SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
-       SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+       SG(request_info).content_length = (content_length ? atol(content_length) : 0);
        SG(sapi_headers).http_response_code = r->status;
        SG(request_info).proto_num = r->proto_num;
 

diff --git a/sapi/apache2filter/sapi_apache2.c b/sapi/apache2filter/sapi_apache2.c
index b8699a9d49be3bc5fd93c06a0a4d09ce99b976a0..c3d6d5fb0d34512575a1f1660aabc7b7c71c7f86 100644 (file)
--- a/sapi/apache2filter/sapi_apache2.c
+++ b/sapi/apache2filter/sapi_apache2.c
@@ -419,7 +419,7 @@ static void php_apache_request_ctor(ap_filter_t *f, php_struct *ctx TSRMLS_DC)
        efree(content_type);
 
        content_length = (char *) apr_table_get(f->r->headers_in, "Content-Length");
-       SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+       SG(request_info).content_length = (content_length ? atol(content_length) : 0);
        
        apr_table_unset(f->r->headers_out, "Content-Length");
        apr_table_unset(f->r->headers_out, "Last-Modified");

diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c
index a7f250d51251c3007a65d394a3fe1fe4aae79f8b..bb772b24c1728f23bcfae5034a3bd1f050f9eb01 100644 (file)
--- a/sapi/apache2handler/sapi_apache2.c
+++ b/sapi/apache2handler/sapi_apache2.c
@@ -483,7 +483,7 @@ static int php_apache_request_ctor(request_rec *r, php_struct *ctx TSRMLS_DC)
        r->no_local_copy = 1;
 
        content_length = (char *) apr_table_get(r->headers_in, "Content-Length");
-       SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+       SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 
        apr_table_unset(r->headers_out, "Content-Length");
        apr_table_unset(r->headers_out, "Last-Modified");

diff --git a/sapi/apache_hooks/mod_php5.c b/sapi/apache_hooks/mod_php5.c
index b976edf431aeac7c886c978e9858240b49691ec3..0a814df953998c137418393099d121ddf149e617 100644 (file)
--- a/sapi/apache_hooks/mod_php5.c
+++ b/sapi/apache_hooks/mod_php5.c
@@ -582,7 +582,7 @@ static void init_request_info(TSRMLS_D)
        SG(request_info).request_method = (char *)r->method;
        SG(request_info).proto_num = r->proto_num;
        SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
-       SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+       SG(request_info).content_length = (content_length ? atol(content_length) : 0);
        SG(sapi_headers).http_response_code = r->status;
 
        if (r->headers_in) {

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index d6d8bebfe0f1e89f939a81c48bd6345607ecb4d4..c54f4836891f34f58926db9a528e9ae8d5d128e3 100644 (file)
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -1413,7 +1413,7 @@ static void init_request_info(fcgi_request *request TSRMLS_DC)
                /* FIXME - Work out proto_num here */
                SG(request_info).query_string = CGI_GETENV("QUERY_STRING");
                SG(request_info).content_type = (content_type ? content_type : "" );
-               SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+               SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 
                /* The CGI RFC allows servers to pass on unvalidated Authorization data */
                auth = CGI_GETENV("HTTP_AUTHORIZATION");

diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index a9298e757352ad3429166048da1a45088fb130e0..6ad53df4f19fc06a8f6431f18449c42dc9dc0c67 100644 (file)
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -1325,7 +1325,7 @@ static void init_request_info(TSRMLS_D)
                /* FIXME - Work out proto_num here */
                SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING", sizeof("QUERY_STRING") - 1 TSRMLS_CC);
                SG(request_info).content_type = (content_type ? content_type : "" );
-               SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+               SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 
                /* The CGI RFC allows servers to pass on unvalidated Authorization data */
                auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION", sizeof("HTTP_AUTHORIZATION") - 1 TSRMLS_CC);