Fix various int size overflows.

Add function for detection of string zvals with length that does not fit INT_MAX.
author: Stanislav Malyshev <stas@php.net> 2016-09-01 23:15:34 -0700
committer: Stanislav Malyshev <stas@php.net> 2016-09-12 21:04:23 -0700
commit: 19866fb76cf4c95d904ebb0e08592cf38303fae9 (patch)
tree: dd21e44e7b8953545e0869915e1e40cc23e4e9f8 /Zend/zend_API.c
parent: 0cbf634657dbaf5a49ba1c9f2d479d05c2e806d6 (diff)
download: php-git-19866fb76cf4c95d904ebb0e08592cf38303fae9.tar.gz
1 files changed, 50 insertions, 11 deletions
diff --git a/Zend/zend_API.c b/Zend/zend_API.c
index 7e622c6ea7..1f50016bd6 100644
--- a/Zend/zend_API.c
+++ b/Zend/zend_API.c
@@ -1074,7 +1074,7 @@ static int zval_update_class_constant(zval **pp, int is_static, int offset TSRML
 						*scope = old_scope;
 						return ret;
 					}
-				}				
+				}
 				ce = ce->parent;
 			} while (ce);
 
@@ -1279,9 +1279,14 @@ ZEND_API int add_assoc_double_ex(zval *arg, const char *key, uint key_len, doubl
 ZEND_API int add_assoc_string_ex(zval *arg, const char *key, uint key_len, char *str, int duplicate) /* {{{ */
 {
 	zval *tmp;
+	size_t _len = strlen(str);
+
+	if (UNEXPECTED(_len > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
 
 	MAKE_STD_ZVAL(tmp);
-	ZVAL_STRING(tmp, str, duplicate);
+	ZVAL_STRINGL(tmp, str, _len, duplicate);
 
 	return zend_symtable_update(Z_ARRVAL_P(arg), key, key_len, (void *) &tmp, sizeof(zval *), NULL);
 }
@@ -1291,6 +1296,10 @@ ZEND_API int add_assoc_stringl_ex(zval *arg, const char *key, uint key_len, char
 {
 	zval *tmp;
 
+	if (UNEXPECTED(length > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
+
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRINGL(tmp, str, length, duplicate);
 
@@ -1362,6 +1371,11 @@ ZEND_API int add_index_double(zval *arg, ulong index, double d) /* {{{ */
 ZEND_API int add_index_string(zval *arg, ulong index, const char *str, int duplicate) /* {{{ */
 {
 	zval *tmp;
+	size_t _len = strlen(str);
+
+	if (UNEXPECTED(_len > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
 
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRING(tmp, str, duplicate);
@@ -1374,6 +1388,10 @@ ZEND_API int add_index_stringl(zval *arg, ulong index, const char *str, uint len
 {
 	zval *tmp;
 
+	if (UNEXPECTED(length > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
+
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRINGL(tmp, str, length, duplicate);
 
@@ -1457,6 +1475,9 @@ ZEND_API int add_next_index_stringl(zval *arg, const char *str, uint length, int
 {
 	zval *tmp;
 
+	if (UNEXPECTED(length > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRINGL(tmp, str, length, duplicate);
 
@@ -1473,9 +1494,14 @@ ZEND_API int add_next_index_zval(zval *arg, zval *value) /* {{{ */
 ZEND_API int add_get_assoc_string_ex(zval *arg, const char *key, uint key_len, const char *str, void **dest, int duplicate) /* {{{ */
 {
 	zval *tmp;
+	size_t _len = strlen(str);
+
+	if (UNEXPECTED(_len > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
 
 	MAKE_STD_ZVAL(tmp);
-	ZVAL_STRING(tmp, str, duplicate);
+	ZVAL_STRINGL(tmp, str, _len, duplicate);
 
 	return zend_symtable_update(Z_ARRVAL_P(arg), key, key_len, (void *) &tmp, sizeof(zval *), dest);
 }
@@ -1485,6 +1511,10 @@ ZEND_API int add_get_assoc_stringl_ex(zval *arg, const char *key, uint key_len,
 {
 	zval *tmp;
 
+	if (UNEXPECTED(length > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
+
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRINGL(tmp, str, length, duplicate);
 
@@ -1664,9 +1694,14 @@ ZEND_API int add_property_string_ex(zval *arg, const char *key, uint key_len, co
 {
 	zval *tmp;
 	zval *z_key;
+	size_t _len = strlen(str);
+
+	if (UNEXPECTED(_len > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
 
 	MAKE_STD_ZVAL(tmp);
-	ZVAL_STRING(tmp, str, duplicate);
+	ZVAL_STRINGL(tmp, str, _len, duplicate);
 
 	MAKE_STD_ZVAL(z_key);
 	ZVAL_STRINGL(z_key, key, key_len-1, 1);
@@ -1683,6 +1718,10 @@ ZEND_API int add_property_stringl_ex(zval *arg, const char *key, uint key_len, c
 	zval *tmp;
 	zval *z_key;
 
+	if (UNEXPECTED(length > INT_MAX)) {
+		zend_error_noreturn(E_ERROR, "String overflow, max size is %d", INT_MAX);
+	}
+
 	MAKE_STD_ZVAL(tmp);
 	ZVAL_STRINGL(tmp, str, length, duplicate);
 
@@ -1836,7 +1875,7 @@ ZEND_API void zend_collect_module_handlers(TSRMLS_D) /* {{{ */
 	module_post_deactivate_handlers = module_request_shutdown_handlers + shutdown_count + 1;
 	module_post_deactivate_handlers[post_deactivate_count] = NULL;
 	startup_count = 0;
-	
+
 	for (zend_hash_internal_pointer_reset_ex(&module_registry, &pos);
 	     zend_hash_get_current_data_ex(&module_registry, (void *) &module, &pos) == SUCCESS;
 	     zend_hash_move_forward_ex(&module_registry, &pos)) {
@@ -2083,7 +2122,7 @@ ZEND_API int zend_register_functions(zend_class_entry *scope, const zend_functio
 		}
 		if (ptr->arg_info) {
 			zend_internal_function_info *info = (zend_internal_function_info*)ptr->arg_info;
-			
+
 			internal_function->arg_info = (zend_arg_info*)ptr->arg_info+1;
 			internal_function->num_args = ptr->num_args;
 			/* Currently you cannot denote that the function can accept less arguments than num_args */
@@ -2701,7 +2740,7 @@ static int zend_is_callable_check_class(const char *name, int name_len, zend_fca
 			}
 			ret = 1;
 		}
-	} else if (name_len == sizeof("parent") - 1 && 
+	} else if (name_len == sizeof("parent") - 1 &&
 		       !memcmp(lcname, "parent", sizeof("parent") - 1)) {
 		if (!EG(scope)) {
 			if (error) *error = estrdup("cannot access parent:: when no class scope is active");
@@ -3030,7 +3069,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
 	if (error) {
 		*error = NULL;
 	}
-	
+
 	fcc->initialized = 0;
 	fcc->calling_scope = NULL;
 	fcc->called_scope = NULL;
@@ -3042,7 +3081,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
 		object_ptr = NULL;
 	}
 	if (object_ptr &&
-	    (!EG(objects_store).object_buckets || 
+	    (!EG(objects_store).object_buckets ||
 	     !EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(object_ptr)].valid)) {
 		return 0;
 	}
@@ -3123,7 +3162,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
 						}
 
 					} else {
-						if (!EG(objects_store).object_buckets || 
+						if (!EG(objects_store).object_buckets ||
 						    !EG(objects_store).object_buckets[Z_OBJ_HANDLE_PP(obj)].valid) {
 							return 0;
 						}
@@ -3192,7 +3231,7 @@ ZEND_API zend_bool zend_is_callable_ex(zval *callable, zval *object_ptr, uint ch
 					*callable_name = emalloc(*callable_name_len + 1);
 					memcpy(*callable_name, ce->name, ce->name_length);
 					memcpy((*callable_name) + ce->name_length, "::__invoke", sizeof("::__invoke"));
-				}									
+				}
 				return 1;
 			}
 			/* break missing intentionally */
author	Stanislav Malyshev <stas@php.net>	2016-09-01 23:15:34 -0700
committer	Stanislav Malyshev <stas@php.net>	2016-09-12 21:04:23 -0700
commit	19866fb76cf4c95d904ebb0e08592cf38303fae9 (patch)
tree	dd21e44e7b8953545e0869915e1e40cc23e4e9f8 /Zend/zend_API.c
parent	0cbf634657dbaf5a49ba1c9f2d479d05c2e806d6 (diff)
download	php-git-19866fb76cf4c95d904ebb0e08592cf38303fae9.tar.gz