diff options
| author | Ondřej Surý <ondrej@sury.org> | 2014-05-27 16:54:58 +0200 |
|---|---|---|
| committer | Ondřej Surý <ondrej@sury.org> | 2014-05-27 16:54:58 +0200 |
| commit | 32c3fbba663e5b1da38bdd2d84b0a9a78271ddfa (patch) | |
| tree | 67a05c22fdb6ad63666fb043c28701bbd6225c9f /ext/spl | |
| parent | 4bbffbee21093458feadd96f93b96d4627461cff (diff) | |
| download | php-32c3fbba663e5b1da38bdd2d84b0a9a78271ddfa.tar.gz | |
New upstream version 5.6.0~beta3+dfsgupstream/5.6.0_beta3+dfsg
Diffstat (limited to 'ext/spl')
| -rw-r--r-- | ext/spl/spl_fixedarray.c | 2 | ||||
| -rw-r--r-- | ext/spl/tests/bug67247.phpt | 13 |
2 files changed, 14 insertions, 1 deletions
diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c index 0519edaa2..2ad50359f 100644 --- a/ext/spl/spl_fixedarray.c +++ b/ext/spl/spl_fixedarray.c @@ -116,7 +116,7 @@ static void spl_fixedarray_resize(spl_fixedarray *array, long size TSRMLS_DC) /* array->elements = NULL; } } else if (size > array->size) { - array->elements = erealloc(array->elements, sizeof(zval *) * size); + array->elements = safe_erealloc(array->elements, size, sizeof(zval *), 0); memset(array->elements + array->size, '\0', sizeof(zval *) * (size - array->size)); } else { /* size < array->size */ long i; diff --git a/ext/spl/tests/bug67247.phpt b/ext/spl/tests/bug67247.phpt new file mode 100644 index 000000000..cb71445d7 --- /dev/null +++ b/ext/spl/tests/bug67247.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #67247 (spl_fixedarray_resize integer overflow) +--FILE-- +<?php +$ar = new SplFixedArray(1); +echo "size: ".$ar->getSize()."\n"; +$ar->setSize((PHP_INT_SIZE==8)?0x2000000000000001:0x40000001); +echo "size: ".$ar->getSize()."\n"; +?> +--EXPECTF-- +size: 1 + +Fatal error: Possible integer overflow in memory allocation (%d * %d + 0) in %s on line %d |