summaryrefslogtreecommitdiffstats
path: root/bug72838.patch
blob: 76e83861ec237f5b05d07a4516bc339ecc433250 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Backported from 5.6.25 by Remi.

From 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 15 Aug 2016 23:43:59 -0700
Subject: [PATCH] Fix bug #72838 - 	Integer overflow lead to heap
 corruption in sql_regcase

---
 ext/ereg/ereg.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 5d38d04..8eb833a 100644
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
 	
 	for (i = j = 0; i < string_len; i++) {
 		c = (unsigned char) string[i];
+		if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
+			efree(tmp);
+			RETURN_FALSE;
+		}
 		if (isalpha(c)) {
 			tmp[j++] = '[';
 			tmp[j++] = toupper(c);