Skip to content

Commit 1e06c73

Browse files
m6w6m6w6
committed
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4: fix integer overflow in {stream,file}_{get,put}_contents()
2 parents 2e02f18 + 34e686c commit 1e06c73

File tree

2 files changed

+17
-5
lines changed

2 files changed

+17
-5
lines changed

ext/standard/file.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -519,7 +519,7 @@ PHP_FUNCTION(file_get_contents)
519519
char *contents;
520520
zend_bool use_include_path = 0;
521521
php_stream *stream;
522-
int len;
522+
long len;
523523
long offset = -1;
524524
long maxlen = PHP_STREAM_COPY_ALL;
525525
zval *zcontext = NULL;
@@ -551,6 +551,10 @@ PHP_FUNCTION(file_get_contents)
551551
}
552552

553553
if ((len = php_stream_copy_to_mem(stream, &contents, maxlen, 0)) > 0) {
554+
if (len > INT_MAX) {
555+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
556+
len = INT_MAX;
557+
}
554558
RETVAL_STRINGL(contents, len, 0);
555559
} else if (len == 0) {
556560
RETVAL_EMPTY_STRING();
@@ -570,7 +574,7 @@ PHP_FUNCTION(file_put_contents)
570574
char *filename;
571575
int filename_len;
572576
zval *data;
573-
int numbytes = 0;
577+
long numbytes = 0;
574578
long flags = 0;
575579
zval *zcontext = NULL;
576580
php_stream_context *context = NULL;
@@ -622,6 +626,10 @@ PHP_FUNCTION(file_put_contents)
622626
if (php_stream_copy_to_stream_ex(srcstream, stream, PHP_STREAM_COPY_ALL, &len) != SUCCESS) {
623627
numbytes = -1;
624628
} else {
629+
if (len > LONG_MAX) {
630+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %lu to %ld bytes", (unsigned long) len, LONG_MAX);
631+
len = LONG_MAX;
632+
}
625633
numbytes = len;
626634
}
627635
break;
@@ -637,7 +645,7 @@ PHP_FUNCTION(file_put_contents)
637645
if (Z_STRLEN_P(data)) {
638646
numbytes = php_stream_write(stream, Z_STRVAL_P(data), Z_STRLEN_P(data));
639647
if (numbytes != Z_STRLEN_P(data)) {
640-
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
648+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
641649
numbytes = -1;
642650
}
643651
}
@@ -680,7 +688,7 @@ PHP_FUNCTION(file_put_contents)
680688
if (zend_std_cast_object_tostring(data, &out, IS_STRING TSRMLS_CC) == SUCCESS) {
681689
numbytes = php_stream_write(stream, Z_STRVAL(out), Z_STRLEN(out));
682690
if (numbytes != Z_STRLEN(out)) {
683-
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
691+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
684692
numbytes = -1;
685693
}
686694
zval_dtor(&out);

ext/standard/streamsfuncs.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -407,7 +407,7 @@ PHP_FUNCTION(stream_get_contents)
407407
zval *zsrc;
408408
long maxlen = PHP_STREAM_COPY_ALL,
409409
desiredpos = -1L;
410-
int len;
410+
long len;
411411
char *contents = NULL;
412412

413413
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ll", &zsrc, &maxlen, &desiredpos) == FAILURE) {
@@ -439,6 +439,10 @@ PHP_FUNCTION(stream_get_contents)
439439
len = php_stream_copy_to_mem(stream, &contents, maxlen, 0);
440440

441441
if (contents) {
442+
if (len > INT_MAX) {
443+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
444+
len = INT_MAX;
445+
}
442446
RETVAL_STRINGL(contents, len, 0);
443447
} else {
444448
RETVAL_EMPTY_STRING();

0 commit comments

Comments
 (0)