From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 30 May 2007 00:38:00 +0000 (+0000)
Subject: MFB: Fixed an interger overflow inside chunk_split(), identified by
X-Git-Tag: RELEASE_1_4~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8cd0541be1b4288948a6f25ed98e8d3ebdfa6c58;p=php

MFB: Fixed an interger overflow inside chunk_split(), identified by
Gerhard Wagner
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 584b98cf13..53791b0868 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3083,6 +3083,7 @@ static char* php_chunk_split(char *src, int srclen, char *end, int endlen, int c
 	int chunks; /* complete chunks! */
 	int restlen;
 	int charsize = sizeof(char);
+	int out_len;
 
 	if (str_type == IS_UNICODE) {
 		charsize = sizeof(UChar);
@@ -3091,7 +3092,13 @@ static char* php_chunk_split(char *src, int srclen, char *end, int endlen, int c
 	chunks = srclen / chunklen;
 	restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
-	dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), charsize, 0);
+	out_len = (srclen + (chunks + 1) * endlen + 1);
+
+	if ((out_len > INT_MAX || out_len <= 0) || ((out_len * charsize) > INT_MAX || (out_len * charsize) <= 0)) {
+		return NULL;
+	}
+
+	dest = safe_emalloc(out_len, charsize, 0);
 
 	for (p = src, q = dest; p < (src + charsize * (srclen - chunklen + 1)); ) {
 		memcpy(q, p, chunklen * charsize);
diff --git a/ext/standard/tests/strings/chunk_split.phpt b/ext/standard/tests/strings/chunk_split.phpt
index b6bed3ab48..cfb817def1 100644
--- a/ext/standard/tests/strings/chunk_split.phpt
+++ b/ext/standard/tests/strings/chunk_split.phpt
@@ -6,6 +6,12 @@ echo chunk_split('abc', 1, '-')."\n";
 echo chunk_split('foooooooooooooooo', 5)."\n";
 echo chunk_split(str_repeat('X', 2*76))."\n";
 echo chunk_split("test", 10, "|end") . "\n";
+
+$a=str_repeat("B", 65535);
+$b=1;
+$c=str_repeat("B", 65535);
+var_dump(chunk_split($a,$b,$c));
+
 ?>
 --EXPECT--
 a-b-c-
@@ -18,3 +24,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
 test|end
+bool(false)