From 06e475e537150a5eb3ba5e162347388a8b745586 Mon Sep 17 00:00:00 2001
From: Felipe Pena <felipe@php.net>
Date: Tue, 8 Mar 2011 13:11:14 +0000
Subject: [PATCH] - Fixed bug #54193 (Integer overflow in shmop_read())

---
 NEWS              | 2 ++
 ext/shmop/shmop.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 161d8c830c..a4dbaa109b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2011, PHP 5.3.6
+- Shmop extension:
+  . Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe)
 
 03 Mar 2011, PHP 5.3.6RC2
 - Zend Engine:
diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
index f88f4a3465..f96179aab7 100644
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -256,7 +256,7 @@ PHP_FUNCTION(shmop_read)
 		RETURN_FALSE;
 	}
 
-	if (start + count > shmop->size || count < 0) {
+	if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
 		RETURN_FALSE;
 	}
-- 
2.40.0