From: Ilia Alshanetsky Date: Sun, 3 Jun 2007 18:47:10 +0000 (+0000) Subject: Corrected fix for CVE-2007-2872 X-Git-Tag: php-5.2.4RC1~446 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=405a15043f89af7aafdf3975db84059093f0ecdc;p=php Corrected fix for CVE-2007-2872 --- diff --git a/NEWS b/NEWS index 29e2d39bd6..742f1b3d4f 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,7 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2007, PHP 5.2.4 - Improved fix for MOPB-02-2007. (Ilia) +- Corrected fix for CVE-2007-2872. (Ilia) - Added GD version constants GD_MAJOR_VERSION, GD_MINOR_VERSION GD_RELEASE_VERSION, GD_EXTRA_VERSION and GD_VERSION_STRING (Pierre) - Fixed bug #41518 (file_exists() warns of open_basedir restriction on diff --git a/ext/standard/string.c b/ext/standard/string.c index 7c4b07efc1..2d7a7f02d2 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -1956,18 +1956,20 @@ static char *php_chunk_split(char *src, int srclen, char *end, int endlen, int c char *p, *q; int chunks; /* complete chunks! */ int restlen; - int out_len; + float out_len; chunks = srclen / chunklen; restlen = srclen - chunks * chunklen; /* srclen % chunklen */ - out_len = (srclen + (chunks + 1) * endlen + 1); + out_len = chunks + 1; + out_len *= endlen; + out_len += srclen + 1; if (out_len > INT_MAX || out_len <= 0) { return NULL; } - dest = safe_emalloc(out_len, sizeof(char), 0); + dest = safe_emalloc((int)out_len, sizeof(char), 0); for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) { memcpy(q, p, chunklen); diff --git a/ext/standard/tests/strings/chunk_split.phpt b/ext/standard/tests/strings/chunk_split.phpt index cfb817def1..f25cee9457 100644 --- a/ext/standard/tests/strings/chunk_split.phpt +++ b/ext/standard/tests/strings/chunk_split.phpt @@ -12,6 +12,12 @@ $b=1; $c=str_repeat("B", 65535); var_dump(chunk_split($a,$b,$c)); +$a=str_repeat("B", 65536); +$b=1; +$c=str_repeat("B", 65536); +var_dump(chunk_split($a,$b,$c)); + + ?> --EXPECT-- a-b-c- @@ -25,3 +31,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX test|end bool(false) +bool(false)