stas Wed Jun 6 20:06:43 2007 UTC Modified files: /php-src/ext/standard string.c Log: MF5: Fix chunk_split fix - avoid using floats MF5: Fix money_format - don't give strfmon more arguments then supplied MF5: Fix str[c]spn integer overflow http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.640&r2=1.641&diff_format=u Index: php-src/ext/standard/string.c diff -u php-src/ext/standard/string.c:1.640 php-src/ext/standard/string.c:1.641 --- php-src/ext/standard/string.c:1.640 Tue Jun 5 13:37:05 2007 +++ php-src/ext/standard/string.c Wed Jun 6 20:06:43 2007 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: string.c,v 1.640 2007/06/05 13:37:05 tony2001 Exp $ */ +/* $Id: string.c,v 1.641 2007/06/06 20:06:43 stas Exp $ */ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ @@ -249,10 +249,14 @@ } } - if (((unsigned) start + (unsigned) len) > len1) { + if (len > len1 - start) { len = len1 - start; } + if(len == 0) { + RETURN_LONG(0); + } + if (type1 == IS_UNICODE) { UChar *u_start, *u_end; int32_t i = 0; @@ -3083,7 +3087,7 @@ int chunks; /* complete chunks! */ int restlen; int charsize = sizeof(char); - float out_len; + int out_len; if (str_type == IS_UNICODE) { charsize = sizeof(UChar); @@ -3092,15 +3096,24 @@ chunks = srclen / chunklen; restlen = srclen - chunks * chunklen; /* srclen % chunklen */ + if(chunks > INT_MAX - 1) { + return NULL; + } out_len = chunks + 1; + if(endlen !=0 && out_len > INT_MAX/endlen) { + return NULL; + } out_len *= endlen; + if(out_len > INT_MAX - srclen - 1) { + return NULL; + } out_len += srclen + 1; - if ((out_len > INT_MAX || out_len <= 0) || ((out_len * charsize) > INT_MAX || (out_len * charsize) <= 0)) { + if (out_len > INT_MAX/charsize) { return NULL; } - dest = safe_emalloc((int)out_len, charsize, 0); + dest = safe_emalloc(out_len, charsize, 0); for (p = src, q = dest; p < (src + charsize * (srclen - chunklen + 1)); ) { memcpy(q, p, chunklen * charsize); @@ -7654,13 +7667,28 @@ PHP_FUNCTION(money_format) { int format_len = 0, str_len; - char *format, *str; + char *format, *str, *p, *e; double value; + zend_bool check = 0; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sd", &format, &format_len, &value) == FAILURE) { return; } + p = format; + e = p + format_len; + while ((p = memchr(p, '%', (e - p)))) { + if (*(p + 1) == '%') { + p += 2; + } else if (!check) { + check = 1; + p++; + } else { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a single %%i or %%n token can be used"); + RETURN_FALSE; + } + } + str_len = format_len + 1024; str = emalloc(str_len); if ((str_len = strfmon(str, str_len, format, value)) < 0) {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php