Fix bug #74603 - use correct buffer size

(cherry picked from commit 05255749139b3686c8a6a58ee01131ac0047465e)
author: Stanislav Malyshev <stas@php.net> 2017-06-20 00:09:01 -0700
committer: Anatol Belski <ab@php.net> 2017-07-05 10:10:39 +0200
commit: 5e255e9003987fd64bb91c196bc3cea2dab9a24b (patch)
tree: f9c587b1420978d9867d77d8c245bbe272a68f10
parent: b954afea1273932ee247b436c5bba1b734ad8b80 (diff)
download: php-git-5e255e9003987fd64bb91c196bc3cea2dab9a24b.tar.gz
3 files changed, 17 insertions, 1 deletions
diff --git a/Zend/tests/bug74603.ini b/Zend/tests/bug74603.ini
new file mode 100644
index 0000000000..8d74a570ec
--- /dev/null
+++ b/Zend/tests/bug74603.ini
@@ -0,0 +1 @@
+0=0&~2000000000
diff --git a/Zend/tests/bug74603.phpt b/Zend/tests/bug74603.phpt
new file mode 100644
index 0000000000..b3194ecd48
--- /dev/null
+++ b/Zend/tests/bug74603.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability)
+--SKIPIF--
+<?php
+if (PHP_INT_MAX !== 2147483647)
+        die('skip for 32-bit only');
+--FILE--
+<?php
+var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(1) "0"
+}
diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y
index e83f02f983..f252581081 100644
--- a/Zend/zend_ini_parser.y
+++ b/Zend/zend_ini_parser.y
@@ -55,7 +55,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
 	int i_result;
 	int i_op1, i_op2;
 	int str_len;
-	char str_result[MAX_LENGTH_OF_LONG];
+	char str_result[MAX_LENGTH_OF_LONG+1];
 
 	i_op1 = atoi(Z_STRVAL_P(op1));
 	zend_string_free(Z_STR_P(op1));
author	Stanislav Malyshev <stas@php.net>	2017-06-20 00:09:01 -0700
committer	Anatol Belski <ab@php.net>	2017-07-05 10:10:39 +0200
commit	5e255e9003987fd64bb91c196bc3cea2dab9a24b (patch)
tree	f9c587b1420978d9867d77d8c245bbe272a68f10
parent	b954afea1273932ee247b436c5bba1b734ad8b80 (diff)
download	php-git-5e255e9003987fd64bb91c196bc3cea2dab9a24b.tar.gz