From d4b90b47881a8a7738f01c33dc8fe4827d193273 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Thu, 3 Nov 2011 07:26:09 +0000 Subject: [PATCH] Fixed bug #60206 (possible integer overflow in content_length) --- NEWS | 3 +++ sapi/apache/mod_php5.c | 2 +- sapi/apache2filter/sapi_apache2.c | 2 +- sapi/apache2handler/sapi_apache2.c | 2 +- sapi/apache_hooks/mod_php5.c | 2 +- sapi/cgi/cgi_main.c | 2 +- sapi/fpm/fpm/fpm_main.c | 2 +- 7 files changed, 9 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 5a8189c488..0130d1620e 100644 --- a/NEWS +++ b/NEWS @@ -31,6 +31,9 @@ PHP NEWS . Fixed bug #60201 (SplFileObject::setCsvControl does not expose third argument via Reflection). (Peter) +- SAPI: + . Fixed bug #60205 (possible integer overflow in content_length). (Laruence) + 20 Oct 2011, PHP 5.4.0 beta2 - General improvements: . Improve the warning message of incompatible arguments. (Laruence) diff --git a/sapi/apache/mod_php5.c b/sapi/apache/mod_php5.c index 16f7756d67..74148be30a 100644 --- a/sapi/apache/mod_php5.c +++ b/sapi/apache/mod_php5.c @@ -529,7 +529,7 @@ static void init_request_info(TSRMLS_D) SG(request_info).request_uri = r->uri; SG(request_info).request_method = (char *)r->method; SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); SG(sapi_headers).http_response_code = r->status; SG(request_info).proto_num = r->proto_num; diff --git a/sapi/apache2filter/sapi_apache2.c b/sapi/apache2filter/sapi_apache2.c index b8699a9d49..c3d6d5fb0d 100644 --- a/sapi/apache2filter/sapi_apache2.c +++ b/sapi/apache2filter/sapi_apache2.c @@ -419,7 +419,7 @@ static void php_apache_request_ctor(ap_filter_t *f, php_struct *ctx TSRMLS_DC) efree(content_type); content_length = (char *) apr_table_get(f->r->headers_in, "Content-Length"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); apr_table_unset(f->r->headers_out, "Content-Length"); apr_table_unset(f->r->headers_out, "Last-Modified"); diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c index a7f250d512..bb772b24c1 100644 --- a/sapi/apache2handler/sapi_apache2.c +++ b/sapi/apache2handler/sapi_apache2.c @@ -483,7 +483,7 @@ static int php_apache_request_ctor(request_rec *r, php_struct *ctx TSRMLS_DC) r->no_local_copy = 1; content_length = (char *) apr_table_get(r->headers_in, "Content-Length"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); apr_table_unset(r->headers_out, "Content-Length"); apr_table_unset(r->headers_out, "Last-Modified"); diff --git a/sapi/apache_hooks/mod_php5.c b/sapi/apache_hooks/mod_php5.c index b976edf431..0a814df953 100644 --- a/sapi/apache_hooks/mod_php5.c +++ b/sapi/apache_hooks/mod_php5.c @@ -582,7 +582,7 @@ static void init_request_info(TSRMLS_D) SG(request_info).request_method = (char *)r->method; SG(request_info).proto_num = r->proto_num; SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE"); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); SG(sapi_headers).http_response_code = r->status; if (r->headers_in) { diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index d6d8bebfe0..c54f483689 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1413,7 +1413,7 @@ static void init_request_info(fcgi_request *request TSRMLS_DC) /* FIXME - Work out proto_num here */ SG(request_info).query_string = CGI_GETENV("QUERY_STRING"); SG(request_info).content_type = (content_type ? content_type : "" ); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); /* The CGI RFC allows servers to pass on unvalidated Authorization data */ auth = CGI_GETENV("HTTP_AUTHORIZATION"); diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c index a9298e7573..6ad53df4f1 100644 --- a/sapi/fpm/fpm/fpm_main.c +++ b/sapi/fpm/fpm/fpm_main.c @@ -1325,7 +1325,7 @@ static void init_request_info(TSRMLS_D) /* FIXME - Work out proto_num here */ SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING", sizeof("QUERY_STRING") - 1 TSRMLS_CC); SG(request_info).content_type = (content_type ? content_type : "" ); - SG(request_info).content_length = (content_length ? atoi(content_length) : 0); + SG(request_info).content_length = (content_length ? atol(content_length) : 0); /* The CGI RFC allows servers to pass on unvalidated Authorization data */ auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION", sizeof("HTTP_AUTHORIZATION") - 1 TSRMLS_CC); -- 2.40.0