From: Felipe Pena Date: Tue, 8 Mar 2011 13:11:14 +0000 (+0000) Subject: - Fixed bug #54193 (Integer overflow in shmop_read()) X-Git-Tag: php-5.3.6RC3~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=06e475e537150a5eb3ba5e162347388a8b745586;p=php - Fixed bug #54193 (Integer overflow in shmop_read()) --- diff --git a/NEWS b/NEWS index 161d8c830c..a4dbaa109b 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2011, PHP 5.3.6 +- Shmop extension: + . Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe) 03 Mar 2011, PHP 5.3.6RC2 - Zend Engine: diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c index f88f4a3465..f96179aab7 100644 --- a/ext/shmop/shmop.c +++ b/ext/shmop/shmop.c @@ -256,7 +256,7 @@ PHP_FUNCTION(shmop_read) RETURN_FALSE; } - if (start + count > shmop->size || count < 0) { + if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range"); RETURN_FALSE; }