Fix for bug #72807 - do not produce strings with negative length

2025-08-16 05:58:45 +02:00 · 2016-08-11 23:36:25 -07:00 · 2016-08-11 23:36:25 -07:00 · 1cd6bc6463
commit 1cd6bc6463
parent 5a34bd6d1e
2 changed files with 9 additions and 2 deletions
--- a/Zend/zend_API.h
+++ b/Zend/zend_API.h
@ -578,6 +578,9 @@ END_EXTERN_C()
 		const char *__s=(s);				\
 		zval *__z = (z);					\
 		Z_STRLEN_P(__z) = strlen(__s);		\
+		if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \
+			zend_error(E_ERROR, "String size overflow"); \
+		}									\
 		Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\
 		Z_TYPE_P(__z) = IS_STRING;			\
 	} while (0)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@ -3478,6 +3478,10 @@ PHP_FUNCTION(curl_escape)
 	ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);

 	if ((res = curl_easy_escape(ch->cp, str, str_len))) {
+		if (strlen(res) > INT_MAX) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX);
+			RETURN_FALSE;
+		}
 		RETVAL_STRING(res, 1);
 		curl_free(res);
 	} else {