Fixed an interger overflow inside chunk_split(), identified by Gerhard

Wagner

NEWS

@@ -1,6 +1,8 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Jun 2007, PHP 5.2.3
+- Fixed an interger overflow inside chunk_split(), identified by Gerhard
+  Wagner (Ilia) 
 - Fixed bug #41525 (ReflectionParameter::getPosition() not available). (Marcus)
 - Fixed bug #41511 (Compile failure under IRIX 6.5.30 building md5.c). (Jani)
 - Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty

ext/standard/string.c

@@ -1956,11 +1956,18 @@ static char *php_chunk_split(char *src, int srclen, char *end, int endlen, int c
 	char *p, *q;
 	int chunks; /* complete chunks! */
 	int restlen;
+	int out_len; 
 
 	chunks = srclen / chunklen;
 	restlen = srclen - chunks * chunklen; /* srclen % chunklen */
 
-	dest = safe_emalloc((srclen + (chunks + 1) * endlen + 1), sizeof(char), 0);
+	out_len = (srclen + (chunks + 1) * endlen + 1);
+
+	if (out_len > INT_MAX || out_len <= 0) {
+		return NULL;
+	}
+
+	dest = safe_emalloc(out_len, sizeof(char), 0);
 
 	for (p = src, q = dest; p < (src + srclen - chunklen + 1); ) {
 		memcpy(q, p, chunklen);

ext/standard/tests/strings/chunk_split.phpt

@@ -6,6 +6,12 @@ echo chunk_split('abc', 1, '-')."\n";
 echo chunk_split('foooooooooooooooo', 5)."\n";
 echo chunk_split(str_repeat('X', 2*76))."\n";
 echo chunk_split("test", 10, "|end") . "\n";
+
+$a=str_repeat("B", 65535);
+$b=1;
+$c=str_repeat("B", 65535);
+var_dump(chunk_split($a,$b,$c));
+
 ?>
 --EXPECT--
 a-b-c-
@@ -18,3 +24,4 @@ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
 test|end
+bool(false)