iliaa Sun Jun 3 18:49:45 2007 UTC Modified files: (Branch: PHP_4_4) /php-src/ext/standard string.c /php-src/ext/standard/tests/strings chunk_split.phpt Log: MFB: Corrected fix for CVE-2007-2872 http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.333.2.52.2.14&r2=1.333.2.52.2.15&diff_format=u Index: php-src/ext/standard/string.c diff -u php-src/ext/standard/string.c:1.333.2.52.2.14 php-src/ext/standard/string.c:1.333.2.52.2.15 --- php-src/ext/standard/string.c:1.333.2.52.2.14 Wed May 30 00:35:41 2007 +++ php-src/ext/standard/string.c Sun Jun 3 18:49:44 2007 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: string.c,v 1.333.2.52.2.14 2007/05/30 00:35:41 iliaa Exp $ */ +/* $Id: string.c,v 1.333.2.52.2.15 2007/06/03 18:49:44 iliaa Exp $ */ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ @@ -1511,18 +1511,20 @@ char *p, *q; int chunks; /* complete chunks! */ int restlen; - int out_len; + float out_len; chunks = srclen / chunklen; restlen = srclen - chunks * chunklen; /* srclen % chunklen */ - out_len = (srclen + (chunks + 1) * endlen + 1); + out_len = chunks + 1; + out_len *= endlen; + out_len += srclen + 1; if (out_len > INT_MAX || out_len <= 0) { return NULL; } - dest = safe_emalloc(out_len, sizeof(char), 0); + dest = safe_emalloc((int)out_len, sizeof(char), 0); for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) { memcpy(q, p, chunklen); http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/strings/chunk_split.phpt?r1=1.1.2.1.2.1&r2=1.1.2.1.2.2&diff_format=u Index: php-src/ext/standard/tests/strings/chunk_split.phpt diff -u php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1.2.1 php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1.2.2 --- php-src/ext/standard/tests/strings/chunk_split.phpt:1.1.2.1.2.1 Wed May 30 00:35:41 2007 +++ php-src/ext/standard/tests/strings/chunk_split.phpt Sun Jun 3 18:49:45 2007 @@ -14,6 +14,12 @@ $c=str_repeat("B", 65535); var_dump(chunk_split($a,$b,$c)); +$a=str_repeat("B", 65536); +$b=1; +$c=str_repeat("B", 65536); +var_dump(chunk_split($a,$b,$c)); + + ?> --EXPECT-- a-b-c- @@ -27,3 +33,4 @@ test|end bool(false) +bool(false)
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php