diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-06-21 00:01:48 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-06-21 00:01:48 -0700 |
| commit | 7dde353ee79fcee73873cc19e1124704b94bd366 (patch) | |
| tree | f0bd2c3969846a52fcb19fac8b63b18eb8121379 /ext/standard/php_smart_str.h | |
| parent | d144590d38fa321b46b8e199c754006318985c84 (diff) | |
| parent | c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 (diff) | |
| download | php-git-7dde353ee79fcee73873cc19e1124704b94bd366.tar.gz | |
Merge branch 'PHP-5.5' into PHP-5.6.23
* PHP-5.5:
Fixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
update NEWS
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
update NEWS
Fix #66387: Stack overflow with imagefilltoborder
Skip test which is 64bits only
5.5.37 now
Conflicts:
configure.in
ext/mcrypt/mcrypt.c
ext/spl/spl_directory.c
main/php_version.h
Diffstat (limited to 'ext/standard/php_smart_str.h')
| -rw-r--r-- | ext/standard/php_smart_str.h | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/ext/standard/php_smart_str.h b/ext/standard/php_smart_str.h index a9a34bddc0..edd9d3a89f 100644 --- a/ext/standard/php_smart_str.h +++ b/ext/standard/php_smart_str.h @@ -63,6 +63,9 @@ newlen = (d)->len + (n); \ if (newlen >= (d)->a) { \ (d)->a = newlen + SMART_STR_PREALLOC; \ + if (UNEXPECTED((d)->a >= INT_MAX)) { \ + zend_error(E_ERROR, "String size overflow"); \ + } \ SMART_STR_DO_REALLOC(d, what); \ } \ } \ @@ -148,17 +151,17 @@ * for GCC compatible compilers, e.g. * * #define f(..) ({char *r;..;__r;}) - */ - + */ + static inline char *smart_str_print_long(char *buf, long num) { - char *r; - smart_str_print_long4(buf, num, unsigned long, r); + char *r; + smart_str_print_long4(buf, num, unsigned long, r); return r; } static inline char *smart_str_print_unsigned(char *buf, long num) { - char *r; - smart_str_print_unsigned4(buf, num, unsigned long, r); + char *r; + smart_str_print_unsigned4(buf, num, unsigned long, r); return r; } @@ -168,7 +171,7 @@ static inline char *smart_str_print_unsigned(char *buf, long num) { smart_str_print##func##4 (__b + sizeof(__b) - 1, (num), vartype, __t); \ smart_str_appendl_ex((dest), __t, __b + sizeof(__b) - 1 - __t, (type)); \ } while (0) - + #define smart_str_append_unsigned_ex(dest, num, type) \ smart_str_append_generic_ex((dest), (num), (type), unsigned long, _unsigned) |