From: Ilia Alshanetsky <iliaa@php.net>
Date: Fri, 6 Aug 2010 19:55:10 +0000 (+0000)
Subject: Fixed issues inside str_pad() identified by bug #52550
X-Git-Tag: php-5.4.0alpha1~191^2~1142
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e4b1575d58eee5d9f478cf192986161c24f1e3d3;p=php

Fixed issues inside str_pad() identified by bug #52550
---

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 30567dc2b5..abd33d6ee8 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4870,7 +4870,7 @@ PHP_FUNCTION(str_pad)
 	long pad_length;			/* Length to pad to */
 	
 	/* Helper variables */
-	int	   num_pad_chars;		/* Number of padding characters (total - input size) */
+	size_t	   num_pad_chars;		/* Number of padding characters (total - input size) */
 	char  *result = NULL;		/* Resulting string */
 	int	   result_len = 0;		/* Length of the resulting string */
 	char  *pad_str_val = " ";	/* Pointer to padding string */
@@ -4883,11 +4883,9 @@ PHP_FUNCTION(str_pad)
 		return;
 	}
 
-	num_pad_chars = pad_length - input_len;
-
 	/* If resulting string turns out to be shorter than input string,
 	   we simply copy the input and return. */
-	if (pad_length <= 0 || num_pad_chars <= 0) {
+	if (pad_length <= 0 || (pad_length - input_len) <= 0) {
 		RETURN_STRINGL(input, input_len, 1);
 	}
 
@@ -4901,6 +4899,11 @@ PHP_FUNCTION(str_pad)
 		return;
 	}
 
+	num_pad_chars = pad_length - input_len;
+	if (num_pad_chars >= INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Padding length is too long");
+		return;	
+	}
 	result = (char *)emalloc(input_len + num_pad_chars + 1);
 
 	/* We need to figure out the left/right padding lengths. */