From: Stanislav Malyshev Date: Tue, 20 Jun 2017 07:09:01 +0000 (-0700) Subject: Fix bug #74603 - use correct buffer size X-Git-Tag: php-7.0.22RC1~25 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=05255749139b3686c8a6a58ee01131ac0047465e;p=php Fix bug #74603 - use correct buffer size --- diff --git a/Zend/tests/bug74603.ini b/Zend/tests/bug74603.ini new file mode 100644 index 0000000000..8d74a570ec --- /dev/null +++ b/Zend/tests/bug74603.ini @@ -0,0 +1 @@ +0=0&~2000000000 diff --git a/Zend/tests/bug74603.phpt b/Zend/tests/bug74603.phpt new file mode 100644 index 0000000000..b3194ecd48 --- /dev/null +++ b/Zend/tests/bug74603.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability) +--SKIPIF-- + +--EXPECT-- +array(1) { + [0]=> + string(1) "0" +} diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y index e83f02f983..f252581081 100644 --- a/Zend/zend_ini_parser.y +++ b/Zend/zend_ini_parser.y @@ -55,7 +55,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2) int i_result; int i_op1, i_op2; int str_len; - char str_result[MAX_LENGTH_OF_LONG]; + char str_result[MAX_LENGTH_OF_LONG+1]; i_op1 = atoi(Z_STRVAL_P(op1)); zend_string_free(Z_STR_P(op1));