@@ -2203,7 +2203,12 @@ PHP_FUNCTION(simplexml_load_file)
22032203 return ;
22042204 }
22052205
2206- docp = xmlReadFile (filename , NULL , options );
2206+ if (ZEND_LONG_EXCEEDS_INT (options )) {
2207+ php_error_docref (NULL , E_WARNING , "Invalid options" );
2208+ RETURN_FALSE ;
2209+ }
2210+
2211+ docp = xmlReadFile (filename , NULL , (int )options );
22072212
22082213 if (!docp ) {
22092214 RETURN_FALSE ;
@@ -2244,7 +2249,20 @@ PHP_FUNCTION(simplexml_load_string)
22442249 return ;
22452250 }
22462251
2247- docp = xmlReadMemory (data , data_len , NULL , NULL , options );
2252+ if (ZEND_SIZE_T_INT_OVFL (data_len )) {
2253+ php_error_docref (NULL , E_WARNING , "Data is too long" );
2254+ RETURN_FALSE ;
2255+ }
2256+ if (ZEND_SIZE_T_INT_OVFL (ns_len )) {
2257+ php_error_docref (NULL , E_WARNING , "Namespace is too long" );
2258+ RETURN_FALSE ;
2259+ }
2260+ if (ZEND_LONG_EXCEEDS_INT (options )) {
2261+ php_error_docref (NULL , E_WARNING , "Invalid options" );
2262+ RETURN_FALSE ;
2263+ }
2264+
2265+ docp = xmlReadMemory (data , (int )data_len , NULL , NULL , (int )options );
22482266
22492267 if (!docp ) {
22502268 RETURN_FALSE ;
@@ -2281,7 +2299,20 @@ SXE_METHOD(__construct)
22812299 return ;
22822300 }
22832301
2284- docp = is_url ? xmlReadFile (data , NULL , options ) : xmlReadMemory (data , data_len , NULL , NULL , options );
2302+ if (ZEND_SIZE_T_INT_OVFL (data_len )) {
2303+ php_error_docref (NULL , E_WARNING , "Data is too long" );
2304+ RETURN_FALSE ;
2305+ }
2306+ if (ZEND_SIZE_T_INT_OVFL (ns_len )) {
2307+ php_error_docref (NULL , E_WARNING , "Namespace is too long" );
2308+ RETURN_FALSE ;
2309+ }
2310+ if (ZEND_LONG_EXCEEDS_INT (options )) {
2311+ php_error_docref (NULL , E_WARNING , "Invalid options" );
2312+ RETURN_FALSE ;
2313+ }
2314+
2315+ docp = is_url ? xmlReadFile (data , NULL , (int )options ) : xmlReadMemory (data , (int )data_len , NULL , NULL , (int )options );
22852316
22862317 if (!docp ) {
22872318 ((php_libxml_node_object * )sxe )-> document = NULL ;
0 commit comments