From 29e2a204fb42af061e66a9f847ffbc8f1d13897a Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Wed, 28 Sep 2016 22:29:25 -0700 Subject: [PATCH] Fixed bug #73174 - heap overflow in php_pcre_replace_impl --- ext/pcre/php_pcre.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 7589a7803c..2a8ff199b8 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -1075,8 +1075,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub char **subpat_names; /* Array for named subpatterns */ int num_subpats; /* Number of captured subpatterns */ int size_offsets; /* Size of the offsets array */ - int new_len; /* Length of needed storage */ - int alloc_len; /* Actual allocated length */ + size_t new_len; /* Length of needed storage */ + size_t alloc_len; /* Actual allocated length */ int eval_result_len=0; /* Length of the eval'ed or function-returned string */ int match_len; /* Length of the current match */ @@ -1146,8 +1146,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0); - alloc_len = 2 * subject_len + 1; - result = safe_emalloc(alloc_len, sizeof(char), 0); + result = safe_emalloc(subject_len, 2*sizeof(char), 1); + alloc_len = 2 * (size_t)subject_len + 1; /* Initialize */ match = NULL; @@ -1212,8 +1212,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub } if (new_len + 1 > alloc_len) { - alloc_len = 1 + alloc_len + 2 * new_len; - new_buf = emalloc(alloc_len); + new_buf = safe_emalloc(2, new_len + 1, alloc_len); + alloc_len = 1 + alloc_len + 2 * (size_t)new_len; memcpy(new_buf, result, *result_len); efree(result); result = new_buf; @@ -1276,8 +1276,8 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub } else { new_len = *result_len + subject_len - start_offset; if (new_len + 1 > alloc_len) { - alloc_len = new_len + 1; /* now we know exactly how long it is */ - new_buf = safe_emalloc(alloc_len, sizeof(char), 0); + new_buf = safe_emalloc(new_len, sizeof(char), 1); + alloc_len = (size_t)new_len + 1; /* now we know exactly how long it is */ memcpy(new_buf, result, *result_len); efree(result); result = new_buf; @@ -1308,6 +1308,12 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub efree(offsets); efree(subpat_names); + if(result && (size_t)(*result_len) > INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Result is too big, max is %d", INT_MAX); + efree(result); + result = NULL; + } + return result; } /* }}} */ -- 2.40.0