@@ -577,6 +577,11 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil
577577 data = arg1 ;
578578 }
579579
580+ if (ZEND_SIZE_T_UINT_OVFL (ZSTR_LEN (data ))) {
581+ php_error_docref (NULL , E_WARNING , "Input string is too long" );
582+ RETURN_FALSE ;
583+ }
584+
580585 doc = tidyCreate ();
581586 errbuf = emalloc (sizeof (TidyBuffer ));
582587 tidyBufInit (errbuf );
@@ -608,7 +613,7 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil
608613 TidyBuffer buf ;
609614
610615 tidyBufInit (& buf );
611- tidyBufAttach (& buf , (byte * ) ZSTR_VAL (data ), ZSTR_LEN (data ));
616+ tidyBufAttach (& buf , (byte * ) ZSTR_VAL (data ), ( uint ) ZSTR_LEN (data ));
612617
613618 if (tidyParseBuffer (doc , & buf ) < 0 ) {
614619 php_error_docref (NULL , E_WARNING , "%s" , errbuf -> bp );
@@ -1158,10 +1163,15 @@ static int php_tidy_output_handler(void **nothing, php_output_context *output_co
11581163 tidyOptSetBool (doc , TidyForceOutput , yes );
11591164 tidyOptSetBool (doc , TidyMark , no );
11601165
1166+ if (ZEND_SIZE_T_UINT_OVFL (output_context -> in .used )) {
1167+ php_error_docref (NULL , E_WARNING , "Input string is too long" );
1168+ return status ;
1169+ }
1170+
11611171 TIDY_SET_DEFAULT_CONFIG (doc );
11621172
11631173 tidyBufInit (& inbuf );
1164- tidyBufAttach (& inbuf , (byte * ) output_context -> in .data , output_context -> in .used );
1174+ tidyBufAttach (& inbuf , (byte * ) output_context -> in .data , ( uint ) output_context -> in .used );
11651175
11661176 if (0 <= tidyParseBuffer (doc , & inbuf ) && 0 <= tidyCleanAndRepair (doc )) {
11671177 tidyBufInit (& outbuf );
@@ -1412,7 +1422,7 @@ static PHP_FUNCTION(tidy_get_config)
14121422 break ;
14131423
14141424 case TidyBoolean :
1415- add_assoc_bool (return_value , opt_name , ( zend_long ) opt_value );
1425+ add_assoc_bool (return_value , opt_name , opt_value ? 1 : 0 );
14161426 break ;
14171427 }
14181428 }
0 commit comments