From: Stanislav Malyshev <stas@php.net>
Date: Tue, 11 Oct 2016 20:37:47 +0000 (-0700)
Subject: Fix bug #73276 - crash in openssl_random_pseudo_bytes function
X-Git-Tag: php-7.1.0RC4~21^2~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7dc8b5e7aefce963a7a222c48ee3506725c4776b;p=php

Fix bug #73276 - crash in openssl_random_pseudo_bytes function

(cherry picked from commit 85a22a0af0722ef3a8d49a056a0b2b18be1fb981)
---

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index e2f9fafacf..bf1f0c51a9 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -5546,7 +5546,11 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
 		return;
 	}
 
-	if (buffer_length <= 0) {
+	if (buffer_length <= 0
+#ifndef PHP_WIN32
+		|| ZEND_LONG_INT_OVFL(buffer_length)
+#endif
+			) {
 		RETURN_FALSE;
 	}
 
@@ -5570,6 +5574,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
 
 	PHP_OPENSSL_CHECK_LONG_TO_INT(buffer_length, length);
 	PHP_OPENSSL_RAND_ADD_TIME();
+	/* FIXME loop if requested size > INT_MAX */
 	if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) {
 		zend_string_release(buffer);
 		if (zstrong_result_returned) {