Skip to content

Commit b416181

Browse files
smalyshevJulien Pauli
authored andcommitted
Add test for bug #69522
1 parent b91f759 commit b416181

File tree

2 files changed

+17
-0
lines changed

2 files changed

+17
-0
lines changed

ext/standard/pack.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -654,6 +654,12 @@ PHP_FUNCTION(unpack)
654654
break;
655655
}
656656

657+
if (size != 0 && size != -1 && size < 0) {
658+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type);
659+
zval_dtor(return_value);
660+
RETURN_FALSE;
661+
}
662+
657663
/* Do actual unpacking */
658664
for (i = 0; i != arg; i++ ) {
659665
/* Space for name + number, safe as namelen is ensured <= 200 */
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
--TEST--
2+
Bug #69522 (heap buffer overflow in unpack())
3+
--FILE--
4+
<?php
5+
$a = pack("AAAAAAAAAAAA", 1,2,3,4,5,6,7,8,9,10,11,12);
6+
$b = unpack('h2147483648', $a);
7+
?>
8+
===DONE===
9+
--EXPECTF--
10+
Warning: unpack(): Type h: integer overflow in %s on line %d
11+
===DONE===

0 commit comments

Comments
 (0)