From: Pierre Joye <pajoye@php.net>
Date: Wed, 28 Apr 2010 14:10:01 +0000 (+0000)
Subject: - fix possible Dechunking Filter Buffer Overflow
X-Git-Tag: php-5.3.3RC1~244
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=17f5a9d2a27e366e0e2c2cc6c8ee53fe32c1959d;p=php

- fix possible Dechunking Filter Buffer Overflow
---

diff --git a/NEWS b/NEWS
index e260a4722c..73982130fe 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,8 @@ PHP                                                                        NEWS
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)
 
+- Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser.
+  (Pierre)
 - Fixed a possible arbitrary memory access inside sqlite extension. Reported 
   by Mateusz Kocielski. (Ilia)
 - Fixed string format validation inside phar extension. Reported by Stefan
diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index 9fa3a17199..ae7e03022f 100644
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -1914,7 +1914,7 @@ typedef enum _php_chunked_filter_state {
 
 typedef struct _php_chunked_filter_data {
 	php_chunked_filter_state state;
-	int chunk_size;
+	size_t chunk_size;
 	int persistent;
 } php_chunked_filter_data;
 
@@ -1991,7 +1991,7 @@ static int php_dechunk(char *buf, int len, php_chunked_filter_data *data)
 					continue;
 				}
 			case CHUNK_BODY:
-				if (end - p >= data->chunk_size) {
+				if ((size_t) (end - p) >= data->chunk_size) {
 					if (p != out) {
 						memmove(out, p, data->chunk_size);
 					}