diff options
| author | xXx-caillou-xXx | 2018-07-13 14:55:23 +0200 |
|---|---|---|
| committer | jvoisin | 2018-07-13 12:55:23 +0000 |
| commit | 7bd365ebc471409f85e6561f7da4f93d7017bfa4 (patch) | |
| tree | 3a5ef9438a025e53de751a6dd9162cc7ee5df960 /src/sp_unserialize.c | |
| parent | b1bf270b41f94ce2df668be611e5b646397a7a52 (diff) | |
Fix various possible integer overflows
Diffstat (limited to 'src/sp_unserialize.c')
| -rw-r--r-- | src/sp_unserialize.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c index db99389..0f27255 100644 --- a/src/sp_unserialize.c +++ b/src/sp_unserialize.c | |||
| @@ -24,6 +24,10 @@ PHP_FUNCTION(sp_serialize) { | |||
| 24 | call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params); | 24 | call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params); |
| 25 | 25 | ||
| 26 | size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac); | 26 | size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac); |
| 27 | if (len < Z_STRLEN_P(return_value)) { | ||
| 28 | sp_log_err("overflow_error", "Overflow tentative detected in sp_serialize."); | ||
| 29 | sp_terminate(); | ||
| 30 | } | ||
| 27 | zend_string *res = zend_string_alloc(len, 0); | 31 | zend_string *res = zend_string_alloc(len, 0); |
| 28 | 32 | ||
| 29 | memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value)); | 33 | memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value)); |