From: Stanislav Malyshev <stas@php.net>
Date: Wed, 13 Jul 2016 06:13:52 +0000 (-0700)
Subject: Fix bug #72551 and bug #72552 - check before converting size_t->int
X-Git-Tag: php-7.1.0beta1~28^2~1^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3810e7b362e7bdef00ad33ae683a49aa7ab19e0d;p=php

Fix bug #72551 and bug #72552 - check before converting size_t->int
---

diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index fb5c638c97..73acaa29f2 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -645,6 +645,10 @@ PHP_FUNCTION(mcrypt_generic)
 		memset(ZSTR_VAL(data_str), 0, data_size);
 		memcpy(ZSTR_VAL(data_str), data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_str = zend_string_alloc(data_size, 0);
 		memset(ZSTR_VAL(data_str), 0, data_size);
@@ -695,6 +699,10 @@ PHP_FUNCTION(mdecrypt_generic)
 		memset(data_s, 0, data_size);
 		memcpy(data_s, data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_s = emalloc(data_size + 1);
 		memset(data_s, 0, data_size);