cataphract Sun, 05 Feb 2012 14:57:57 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=323079
Log:
- Fixed possible unsigned int wrap around in html.c. Note that 5.3 has the same
(potential) problem; even though the code is substantially different, the
variable name and the fashion it was incremented was kept.
Changed paths:
U php/php-src/trunk/ext/standard/html.c
Modified: php/php-src/trunk/ext/standard/html.c
===================================================================
--- php/php-src/trunk/ext/standard/html.c 2012-02-05 11:45:01 UTC (rev
323078)
+++ php/php-src/trunk/ext/standard/html.c 2012-02-05 14:57:57 UTC (rev
323079)
@@ -1257,9 +1257,13 @@
maxlen = 128;
} else {
maxlen = 2 * oldlen;
+ if (maxlen < oldlen) {
+ zend_error_noreturn(E_ERROR, "Input string is too
long");
+ return NULL;
+ }
}
- replaced = emalloc(maxlen + 1);
+ replaced = emalloc(maxlen + 1); /* adding 1 is safe: maxlen is even */
len = 0;
cursor = 0;
while (cursor < oldlen) {
@@ -1271,8 +1275,9 @@
/* guarantee we have at least 40 bytes to write.
* In HTML5, entities may take up to 33 bytes */
- if (len + 40 > maxlen) {
- replaced = erealloc(replaced, (maxlen += 128) + 1);
+ if (len > maxlen - 40) { /* maxlen can never be smaller than
128 */
+ replaced = safe_erealloc(replaced, maxlen , 1, 128 + 1);
+ maxlen += 128;
}
if (status == FAILURE) {
@@ -1401,8 +1406,11 @@
}
/* checks passed; copy entity to result */
/* entity size is unbounded, we may need more
memory */
- if (maxlen < len + ent_len + 2 /* & and ; */) {
- replaced = erealloc(replaced, (maxlen
+= ent_len + 128) + 1);
+ /* at this point maxlen - len >= 40 */
+ if (maxlen - len < ent_len + 2 /* & and ; */) {
+ /* ent_len < oldlen, which is certainly
<= SIZE_MAX/2 */
+ replaced = safe_erealloc(replaced,
maxlen, 1, ent_len + 128 + 1);
+ maxlen += ent_len + 128;
}
replaced[len++] = '&';
memcpy(&replaced[len], &old[cursor], ent_len);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
