mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase
This commit is contained in:
parent
cfdeedd985
commit
5f91f692c3
@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
|
||||
|
||||
for (i = j = 0; i < string_len; i++) {
|
||||
c = (unsigned char) string[i];
|
||||
if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
|
||||
php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
|
||||
efree(tmp);
|
||||
RETURN_FALSE;
|
||||
}
|
||||
if (isalpha(c)) {
|
||||
tmp[j++] = '[';
|
||||
tmp[j++] = toupper(c);
|
||||
|
Loading…
Reference in New Issue
Block a user