From: Stanislav Malyshev <stas@php.net>
Date: Wed, 13 Jul 2016 05:59:19 +0000 (-0700)
Subject: Fix bug #72541 - size_t overflow lead to heap corruption
X-Git-Tag: php-7.1.0beta1~28^2~1^2~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2ca8d85dd4ac6d5f8c046f339f9636e3099b0f08;p=php

Fix bug #72541 - size_t overflow lead to heap corruption
---

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index 6a616411ef..7d085de73c 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -3595,6 +3595,10 @@ PHP_FUNCTION(curl_unescape)
 		RETURN_FALSE;
 	}
 
+	if (str_len > INT_MAX) {
+		RETURN_FALSE;
+	}
+
 	if ((out = curl_easy_unescape(ch->cp, str, str_len, &out_len))) {
 		RETVAL_STRINGL(out, out_len);
 		curl_free(out);