From: Stanislav Malyshev <stas@php.net>
Date: Tue, 14 Jun 2016 06:12:47 +0000 (-0700)
Subject: Fix bug #72275: don't allow smart_str to overflow int
X-Git-Tag: php-5.5.37~7^2~11
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=489fd56fe37bf40a662931c2b4d5baa918f13e37;p=php

Fix bug #72275: don't allow smart_str to overflow int
---

diff --git a/ext/standard/php_smart_str.h b/ext/standard/php_smart_str.h
index 1872fa8647..fc1a753dd5 100644
--- a/ext/standard/php_smart_str.h
+++ b/ext/standard/php_smart_str.h
@@ -63,6 +63,9 @@
 		newlen = (d)->len + (n);									\
 		if (newlen >= (d)->a) {										\
 			(d)->a = newlen + SMART_STR_PREALLOC;					\
+	        if (UNEXPECTED((d)->a >= INT_MAX)) {					\
+                zend_error(E_ERROR, "String size overflow");		\
+            }														\
 			SMART_STR_DO_REALLOC(d, what);							\
 		}															\
 	}																\
@@ -148,17 +151,17 @@
  * for GCC compatible compilers, e.g.
  *
  * #define f(..) ({char *r;..;__r;})
- */  
- 
+ */
+
 static inline char *smart_str_print_long(char *buf, long num) {
-	char *r; 
-	smart_str_print_long4(buf, num, unsigned long, r); 
+	char *r;
+	smart_str_print_long4(buf, num, unsigned long, r);
 	return r;
 }
 
 static inline char *smart_str_print_unsigned(char *buf, long num) {
-	char *r; 
-	smart_str_print_unsigned4(buf, num, unsigned long, r); 
+	char *r;
+	smart_str_print_unsigned4(buf, num, unsigned long, r);
 	return r;
 }
 
@@ -168,7 +171,7 @@ static inline char *smart_str_print_unsigned(char *buf, long num) {
    	smart_str_print##func##4 (__b + sizeof(__b) - 1, (num), vartype, __t);	\
 	smart_str_appendl_ex((dest), __t, __b + sizeof(__b) - 1 - __t, (type));	\
 } while (0)
-	
+
 #define smart_str_append_unsigned_ex(dest, num, type) \
 	smart_str_append_generic_ex((dest), (num), (type), unsigned long, _unsigned)