mirror of
https://github.com/php/php-src.git
synced 2024-09-22 18:37:25 +00:00
9164dc11e2
The issue is caused by an integer overflow when the `long` passed as XML_OPTION_SKIP_TAGSTART is assigned to `xml_parser::toffset` which is declared as `int`. We can simply work around this issue, by clipping resulting negative values to 0 (and raising a notice in this case), because the reasonable range for this value is certainly catered to by positive `int`s. However, there still remains the issue that `xml_parser::toffset` is later added to `char *`s, which can cause OOB reads, so we make sure that the upper bound never exceeds the strlen(). We eschew optimizing `SKIP_TAGSTART` wrt. to the potentially duplicate strlen() call, because that code path is unexpected anyway. |
||
---|---|---|
.. | ||
tests | ||
compat.c | ||
config.m4 | ||
config.w32 | ||
CREDITS | ||
expat_compat.h | ||
package.xml | ||
php_xml.h | ||
xml.c | ||
xml.mak |