clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-22 02:17:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase

Browse Source
This commit is contained in:
Stanislav Malyshev 2016-08-15 23:43:59 -07:00
parent cfdeedd985
commit 5f91f692c3
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ext/ereg/ereg.c
View File

@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
for (i = j = 0; i < string_len; i++) {
c = (unsigned char) string[i];
if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
efree(tmp);
RETURN_FALSE;
}
if (isalpha(c)) {
tmp[j++] = '[';
tmp[j++] = toupper(c);