Skip to content

Commit 34e686c

Browse files
m6w6m6w6
committed
fix integer overflow in {stream,file}_{get,put}_contents()
1 parent 899fe3d commit 34e686c

File tree

2 files changed

+17
-5
lines changed

2 files changed

+17
-5
lines changed

ext/standard/file.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -518,7 +518,7 @@ PHP_FUNCTION(file_get_contents)
518518
char *contents;
519519
zend_bool use_include_path = 0;
520520
php_stream *stream;
521-
int len;
521+
long len;
522522
long offset = -1;
523523
long maxlen = PHP_STREAM_COPY_ALL;
524524
zval *zcontext = NULL;
@@ -550,6 +550,10 @@ PHP_FUNCTION(file_get_contents)
550550
}
551551

552552
if ((len = php_stream_copy_to_mem(stream, &contents, maxlen, 0)) > 0) {
553+
if (len > INT_MAX) {
554+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
555+
len = INT_MAX;
556+
}
553557
RETVAL_STRINGL(contents, len, 0);
554558
} else if (len == 0) {
555559
RETVAL_EMPTY_STRING();
@@ -569,7 +573,7 @@ PHP_FUNCTION(file_put_contents)
569573
char *filename;
570574
int filename_len;
571575
zval *data;
572-
int numbytes = 0;
576+
long numbytes = 0;
573577
long flags = 0;
574578
zval *zcontext = NULL;
575579
php_stream_context *context = NULL;
@@ -621,6 +625,10 @@ PHP_FUNCTION(file_put_contents)
621625
if (php_stream_copy_to_stream_ex(srcstream, stream, PHP_STREAM_COPY_ALL, &len) != SUCCESS) {
622626
numbytes = -1;
623627
} else {
628+
if (len > LONG_MAX) {
629+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %lu to %ld bytes", (unsigned long) len, LONG_MAX);
630+
len = LONG_MAX;
631+
}
624632
numbytes = len;
625633
}
626634
break;
@@ -636,7 +644,7 @@ PHP_FUNCTION(file_put_contents)
636644
if (Z_STRLEN_P(data)) {
637645
numbytes = php_stream_write(stream, Z_STRVAL_P(data), Z_STRLEN_P(data));
638646
if (numbytes != Z_STRLEN_P(data)) {
639-
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
647+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN_P(data));
640648
numbytes = -1;
641649
}
642650
}
@@ -679,7 +687,7 @@ PHP_FUNCTION(file_put_contents)
679687
if (zend_std_cast_object_tostring(data, &out, IS_STRING TSRMLS_CC) == SUCCESS) {
680688
numbytes = php_stream_write(stream, Z_STRVAL(out), Z_STRLEN(out));
681689
if (numbytes != Z_STRLEN(out)) {
682-
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %d of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
690+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only %ld of %d bytes written, possibly out of free disk space", numbytes, Z_STRLEN(out));
683691
numbytes = -1;
684692
}
685693
zval_dtor(&out);

ext/standard/streamsfuncs.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -407,7 +407,7 @@ PHP_FUNCTION(stream_get_contents)
407407
zval *zsrc;
408408
long maxlen = PHP_STREAM_COPY_ALL,
409409
desiredpos = -1L;
410-
int len;
410+
long len;
411411
char *contents = NULL;
412412

413413
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ll", &zsrc, &maxlen, &desiredpos) == FAILURE) {
@@ -439,6 +439,10 @@ PHP_FUNCTION(stream_get_contents)
439439
len = php_stream_copy_to_mem(stream, &contents, maxlen, 0);
440440

441441
if (contents) {
442+
if (len > INT_MAX) {
443+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "content truncated from %ld to %d bytes", len, INT_MAX);
444+
len = INT_MAX;
445+
}
442446
RETVAL_STRINGL(contents, len, 0);
443447
} else {
444448
RETVAL_EMPTY_STRING();

0 commit comments

Comments
 (0)