archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix for bug #72807 - do not produce strings with negative length

Browse source
This commit is contained in:
Stanislav Malyshev 2016-08-11 23:36:25 -07:00
parent 5a34bd6d1e
commit 1cd6bc6463
2 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Zend/zend_API.h
View file

@ -447,7 +447,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval
#define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC)
#define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC)
#define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC)
#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC);
@ -458,7 +458,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache;
/** Build zend_call_info/cache from a zval*
*
* Caller is responsible to provide a return value, otherwise the we will crash.
* Caller is responsible to provide a return value, otherwise the we will crash.
* fci->retval_ptr_ptr = NULL;
* In order to pass parameters the following members need to be set:
* fci->param_count = 0;
@ -578,6 +578,9 @@ END_EXTERN_C()
const char *__s=(s); \
zval *__z = (z); \
Z_STRLEN_P(__z) = strlen(__s); \
if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \
zend_error(E_ERROR, "String size overflow"); \
} \
Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\
Z_TYPE_P(__z) = IS_STRING; \
} while (0)

4
ext/curl/interface.c
View file

@ -3478,6 +3478,10 @@ PHP_FUNCTION(curl_escape)
ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
if ((res = curl_easy_escape(ch->cp, str, str_len))) {
if (strlen(res) > INT_MAX) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX);
RETURN_FALSE;
}
RETVAL_STRING(res, 1);
curl_free(res);
} else {