re-add range check

author Anatol Belski <ab@php.net>

Tue, 5 Jul 2016 10:09:22 +0000 (12:09 +0200)

committer Anatol Belski <ab@php.net>

Tue, 5 Jul 2016 13:15:20 +0000 (15:15 +0200)
author Anatol Belski <ab@php.net>
Tue, 5 Jul 2016 10:09:22 +0000 (12:09 +0200)
committer Anatol Belski <ab@php.net>
Tue, 5 Jul 2016 13:15:20 +0000 (15:15 +0200)
diff --git a/ext/intl/uchar/uchar.c b/ext/intl/uchar/uchar.c

index abb3e59671ff8b702717f7684080bd27fd982caa..a7e5c173401b34185bc10b68ae417cc922e8199a 100644 (file)
--- a/ext/intl/uchar/uchar.c
+++ b/ext/intl/uchar/uchar.c
@@ -8,12 +8,21 @@
  
  static inline int convert_cp(UChar32* pcp, zval *zcp) {
         zend_long cp = -1;
+
         if (Z_TYPE_P(zcp) == IS_LONG) {
                 cp = Z_LVAL_P(zcp);
         } else if (Z_TYPE_P(zcp) == IS_STRING) {
-               size_t i = 0;
-               U8_NEXT(Z_STRVAL_P(zcp), i, Z_STRLEN_P(zcp), cp);
-               if (i != Z_STRLEN_P(zcp)) {
+               int32_t i = 0;
+               size_t zcp_len = Z_STRLEN_P(zcp);
+
+               if (ZEND_SIZE_T_INT_OVFL(zcp_len)) {
+                       intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR);
+                       intl_error_set_custom_msg(NULL, "Input string is too long.", 0);
+                       return FAILURE;
+               }
+
+               U8_NEXT(Z_STRVAL_P(zcp), i, zcp_len, cp);
+               if ((size_t)i != zcp_len) {
                         intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR);
                         intl_error_set_custom_msg(NULL, "Passing a UTF-8 character for codepoint requires a string which is exactly one UTF-8 codepoint long.", 0);
                         return FAILURE;
author	Anatol Belski <ab@php.net>
	Tue, 5 Jul 2016 10:09:22 +0000 (12:09 +0200)
committer	Anatol Belski <ab@php.net>
	Tue, 5 Jul 2016 13:15:20 +0000 (15:15 +0200)