Skip to content

Commit 122ee0a

Browse files
m6w6m6w6
committed
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5: fix integer overflow in {stream,file}_{get,put}_contents()
2 parents d5d95f8 + 1e06c73 commit 122ee0a

File tree

2 files changed

+17
-5
lines changed

2 files changed

+17
-5
lines changed

ext/standard/file.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -527,7 +527,7 @@ PHP_FUNCTION(file_get_contents)
527527
char *contents;
528528
zend_bool use_include_path = 0;
529529
php_stream *stream;
530-
int len;
530+
long len;
531531
long offset = -1;
532532
long maxlen = PHP_STREAM_COPY_ALL;
533533
zval *zcontext = NULL;
@@ -559,6 +559,10 @@ PHP_FUNCTION(file_get_contents)
559559
}
560560

561561
if ((len = php_stream_copy_to_mem(stream, &contents, maxlen, 0)) > 0) {
562+
if (len > INT_MAX) {
563+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
564+
len = INT_MAX;
565+
}
562566
RETVAL_STRINGL(contents, len, 0);
563567
} else if (len == 0) {
564568
RETVAL_EMPTY_STRING();
@@ -578,7 +582,7 @@ PHP_FUNCTION(file_put_contents)
578582
char *filename;
579583
int filename_len;
580584
zval *data;
581-
int numbytes = 0;
585+
long numbytes = 0;
582586
long flags = 0;
583587
zval *zcontext = NULL;
584588
php_stream_context *context = NULL;
@@ -630,6 +634,10 @@ PHP_FUNCTION(file_put_contents)
630634
if (php_stream_copy_to_stream_ex(srcstream, stream, PHP_STREAM_COPY_ALL, &len) != SUCCESS) {
631635
numbytes = -1;
632636
} else {
637+
if (len > LONG_MAX) {
638+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %lu to %ld bytes", (unsigned long) len, LONG_MAX);
639+
len = LONG_MAX;
640+
}
633641
numbytes = len;
634642
}
635643
break;
@@ -645,7 +653,7 @@ PHP_FUNCTION(file_put_contents)
645653
if (Z_STRLEN_P(data)) {
646654
numbytes = php_stream_write(stream, Z_STRVAL_P(data), Z_STRLEN_P(data));
647655
if (numbytes != Z_STRLEN_P(data)) {
648-
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
656+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
649657
numbytes = -1;
650658
}
651659
}
@@ -688,7 +696,7 @@ PHP_FUNCTION(file_put_contents)
688696
if (zend_std_cast_object_tostring(data, &out, IS_STRING TSRMLS_CC) == SUCCESS) {
689697
numbytes = php_stream_write(stream, Z_STRVAL(out), Z_STRLEN(out));
690698
if (numbytes != Z_STRLEN(out)) {
691-
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
699+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
692700
numbytes = -1;
693701
}
694702
zval_dtor(&out);

ext/standard/streamsfuncs.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -409,7 +409,7 @@ PHP_FUNCTION(stream_get_contents)
409409
zval *zsrc;
410410
long maxlen = PHP_STREAM_COPY_ALL,
411411
desiredpos = -1L;
412-
int len;
412+
long len;
413413
char *contents = NULL;
414414

415415
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ll", &zsrc, &maxlen, &desiredpos) == FAILURE) {
@@ -441,6 +441,10 @@ PHP_FUNCTION(stream_get_contents)
441441
len = php_stream_copy_to_mem(stream, &contents, maxlen, 0);
442442

443443
if (contents) {
444+
if (len > INT_MAX) {
445+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
446+
len = INT_MAX;
447+
}
444448
RETVAL_STRINGL(contents, len, 0);
445449
} else {
446450
RETVAL_EMPTY_STRING();

0 commit comments

Comments
 (0)