Fix bug #73276 - crash in openssl_random_pseudo_bytes function

(cherry picked from commit 85a22a0af0722ef3a8d49a056a0b2b18be1fb981)
(cherry picked from commit 7dc8b5e7aefce963a7a222c48ee3506725c4776b)

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 9198530b1d7bc8b0cd2fba8951493482f68cfebf..7fbbbe87921ea81eb201d24f06a9fd5b8342614f 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -6458,7 +6458,11 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
                return;
        }
 
-       if (buffer_length <= 0) {
+       if (buffer_length <= 0
+#ifndef PHP_WIN32
+               || ZEND_LONG_INT_OVFL(buffer_length)
+#endif
+                       ) {
                RETURN_FALSE;
        }
 
@@ -6482,6 +6486,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
 
        PHP_OPENSSL_CHECK_LONG_TO_INT(buffer_length, length);
        PHP_OPENSSL_RAND_ADD_TIME();
+       /* FIXME loop if requested size > INT_MAX */
        if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) {
                zend_string_release(buffer);
                if (zstrong_result_returned) {