From 28ed30df53ad694530961b4fc817900190bbbb86 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 5 Jul 2016 15:43:01 +0200 Subject: [PATCH] fix datatypes and add range checks --- ext/intl/dateformat/dateformat_parse.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ext/intl/dateformat/dateformat_parse.c b/ext/intl/dateformat/dateformat_parse.c index 2ba5e3089d..81a432e1af 100644 --- a/ext/intl/dateformat/dateformat_parse.c +++ b/ext/intl/dateformat/dateformat_parse.c @@ -130,7 +130,7 @@ PHP_FUNCTION(datefmt_parse) char* text_to_parse = NULL; size_t text_len =0; zval* z_parse_pos = NULL; - zend_long parse_pos = -1; + int32_t parse_pos = -1; DATE_FORMAT_METHOD_INIT_VARS; @@ -147,7 +147,12 @@ PHP_FUNCTION(datefmt_parse) if (z_parse_pos) { ZVAL_DEREF(z_parse_pos); convert_to_long(z_parse_pos); - parse_pos = Z_LVAL_P(z_parse_pos); + if (ZEND_LONG_INT_OVFL(Z_LVAL_P(z_parse_pos))) { + intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR); + intl_error_set_custom_msg(NULL, "Input string is too long.", 0); + RETURN_FALSE; + } + parse_pos = (int32_t)Z_LVAL_P(z_parse_pos); if((size_t)parse_pos > text_len) { RETURN_FALSE; } @@ -169,7 +174,7 @@ PHP_FUNCTION(datefmt_localtime) char* text_to_parse = NULL; size_t text_len =0; zval* z_parse_pos = NULL; - zend_long parse_pos = -1; + int32_t parse_pos = -1; DATE_FORMAT_METHOD_INIT_VARS; @@ -186,7 +191,12 @@ PHP_FUNCTION(datefmt_localtime) if (z_parse_pos) { ZVAL_DEREF(z_parse_pos); convert_to_long(z_parse_pos); - parse_pos = Z_LVAL_P(z_parse_pos); + if (ZEND_LONG_INT_OVFL(Z_LVAL_P(z_parse_pos))) { + intl_error_set_code(NULL, U_ILLEGAL_ARGUMENT_ERROR); + intl_error_set_custom_msg(NULL, "Input string is too long.", 0); + RETURN_FALSE; + } + parse_pos = (int32_t)Z_LVAL_P(z_parse_pos); if((size_t)parse_pos > text_len) { RETURN_FALSE; } -- 2.50.1