From: Stanislav Malyshev <stas@php.net>
Date: Wed, 3 Aug 2016 07:58:55 +0000 (-0700)
Subject: Fix bug #72674 - check both curl_escape and curl_unescape
X-Git-Tag: php-7.1.0beta3~33^2~8^2~17
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=72dbb7f416160f490c4e9987040989a10ad431c7;p=php

Fix bug #72674 - check both curl_escape and curl_unescape
---

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index be15785cd0..7069710ece 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -3517,7 +3517,7 @@ PHP_FUNCTION(curl_reset)
 PHP_FUNCTION(curl_escape)
 {
 	char       *str = NULL, *res = NULL;
-	size_t        str_len = 0;
+	size_t     str_len = 0;
 	zval       *zid;
 	php_curl   *ch;
 
@@ -3529,6 +3529,10 @@ PHP_FUNCTION(curl_escape)
 		RETURN_FALSE;
 	}
 
+	if (ZEND_SIZE_T_INT_OVFL(str_len)) {
+		RETURN_FALSE;
+	}
+
 	if ((res = curl_easy_escape(ch->cp, str, str_len))) {
 		RETVAL_STRING(res);
 		curl_free(res);
@@ -3556,7 +3560,7 @@ PHP_FUNCTION(curl_unescape)
 		RETURN_FALSE;
 	}
 
-	if (str_len > INT_MAX) {
+	if (ZEND_SIZE_T_INT_OVFL(str_len)) {
 		RETURN_FALSE;
 	}