Fixed bug #60206 (possible integer overflow in content_length)

NEWS

@@ -137,6 +137,9 @@ PHP                                                                        NEWS
 - FTP:
   . Fixed bug #60183 (out of sync ftp responses). (bram at ebskamp dot me, rasmus)
 
+- SAPI:
+  . Fixed bug #60205 (possible integer overflow in content_length). (Laruence)
+
 
 23 Aug 2011, PHP 5.3.8
 

sapi/apache/mod_php5.c

@@ -533,7 +533,7 @@ static void init_request_info(TSRMLS_D)
 	SG(request_info).request_uri = r->uri;
 	SG(request_info).request_method = (char *)r->method;
 	SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
-	SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+	SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 	SG(sapi_headers).http_response_code = r->status;
 	SG(request_info).proto_num = r->proto_num;
 

sapi/apache2filter/sapi_apache2.c

@@ -420,7 +420,7 @@ static void php_apache_request_ctor(ap_filter_t *f, php_struct *ctx TSRMLS_DC)
 	efree(content_type);
 
 	content_length = (char *) apr_table_get(f->r->headers_in, "Content-Length");
-	SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+	SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 	
 	apr_table_unset(f->r->headers_out, "Content-Length");
 	apr_table_unset(f->r->headers_out, "Last-Modified");

sapi/apache2handler/sapi_apache2.c

@@ -484,7 +484,7 @@ static int php_apache_request_ctor(request_rec *r, php_struct *ctx TSRMLS_DC)
 	r->no_local_copy = 1;
 
 	content_length = (char *) apr_table_get(r->headers_in, "Content-Length");
-	SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+	SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 
 	apr_table_unset(r->headers_out, "Content-Length");
 	apr_table_unset(r->headers_out, "Last-Modified");

sapi/apache_hooks/mod_php5.c

@@ -587,7 +587,7 @@ static void init_request_info(TSRMLS_D)
 	SG(request_info).request_method = (char *)r->method;
 	SG(request_info).proto_num = r->proto_num;
 	SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
-	SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+	SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 	SG(sapi_headers).http_response_code = r->status;
 
 	if (r->headers_in) {

sapi/cgi/cgi_main.c

@@ -1353,7 +1353,7 @@ static void init_request_info(TSRMLS_D)
 		/* FIXME - Work out proto_num here */
 		SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING", sizeof("QUERY_STRING")-1 TSRMLS_CC);
 		SG(request_info).content_type = (content_type ? content_type : "" );
-		SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+		SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 
 		/* The CGI RFC allows servers to pass on unvalidated Authorization data */
 		auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION", sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);

sapi/fpm/fpm/fpm_main.c

@@ -1332,7 +1332,7 @@ static void init_request_info(TSRMLS_D)
 		/* FIXME - Work out proto_num here */
 		SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING", sizeof("QUERY_STRING") - 1 TSRMLS_CC);
 		SG(request_info).content_type = (content_type ? content_type : "" );
-		SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
+		SG(request_info).content_length = (content_length ? atol(content_length) : 0);
 
 		/* The CGI RFC allows servers to pass on unvalidated Authorization data */
 		auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION", sizeof("HTTP_AUTHORIZATION") - 1 TSRMLS_CC);