archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 22:18:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix bug #72114 - int/size_t confusion in fread

Browse source
This commit is contained in:
Stanislav Malyshev 2016-05-09 21:55:29 -07:00
parent 95ed19ae28
commit abd159cce4
2 changed files with 18 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ext/standard/file.c
View file

@ -1758,6 +1758,12 @@ PHPAPI PHP_FUNCTION(fread)
RETURN_FALSE; RETURN_FALSE;
} }
if (len > INT_MAX) {
/* string length is int in 5.x so we can not read more than int */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
RETURN_FALSE;
}
Z_STRVAL_P(return_value) = emalloc(len + 1); Z_STRVAL_P(return_value) = emalloc(len + 1);
Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len); Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);

12
ext/standard/tests/file/bug72114.phpt Normal file
View file

@ -0,0 +1,12 @@
--TEST--
Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
--FILE--
<?php
ini_set('memory_limit', "2500M");
$fp = fopen("/dev/zero", "r");
fread($fp, 2147483648);
?>
Done
--EXPECTF--
Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
Done