Add more mbfl string size checks (bug #73505)

NEWS

@@ -4,6 +4,10 @@ PHP                                                                        NEWS
 
 08 Dec 2016, PHP 5.6.29
 
+- Mbstring:
+  . Fixed bug #73505 (string length overflow in mbfl_memory_device_output
+    function). (Stas)
+
 - Mysqlnd:
   . Fixed bug #64526 (Add missing mysqlnd.* parameters to php.ini-*). (cmb)
 

ext/mbstring/libmbfl/mbfl/mbfl_memory_device.c

@@ -5,7 +5,7 @@
  * LICENSE NOTICES
  *
  * This file is part of "streamable kanji code filter and converter",
- * which is distributed under the terms of GNU Lesser General Public 
+ * which is distributed under the terms of GNU Lesser General Public
  * License (version 2) as published by the Free Software Foundation.
  *
  * This software is distributed in the hope that it will be useful,
@@ -146,6 +146,10 @@ mbfl_memory_device_output(int c, void *data)
 		unsigned char *tmp;
 
 		newlen = device->length + device->allocsz;
+		if (newlen <= 0) {
+			/* overflow */
+			return -1;
+		}
 		tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
 		if (tmp == NULL) {
 			return -1;
@@ -169,6 +173,10 @@ mbfl_memory_device_output2(int c, void *data)
 		unsigned char *tmp;
 
 		newlen = device->length + device->allocsz;
+		if (newlen <= 0) {
+			/* overflow */
+			return -1;
+		}
 		tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
 		if (tmp == NULL) {
 			return -1;
@@ -194,6 +202,10 @@ mbfl_memory_device_output4(int c, void* data)
 		unsigned char *tmp;
 
 		newlen = device->length + device->allocsz;
+		if (newlen <= 0) {
+			/* overflow */
+			return -1;
+		}
 		tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
 		if (tmp == NULL) {
 			return -1;
@@ -227,6 +239,10 @@ mbfl_memory_device_strcat(mbfl_memory_device *device, const char *psrc)
 	if ((device->pos + len) >= device->length) {
 		/* reallocate buffer */
 		int newlen = device->length + (len + MBFL_MEMORY_DEVICE_ALLOC_SIZE)*sizeof(unsigned char);
+		if (newlen <= 0) {
+			/* overflow */
+			return -1;
+		}
 		unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
 		if (tmp == NULL) {
 			return -1;
@@ -254,6 +270,10 @@ mbfl_memory_device_strncat(mbfl_memory_device *device, const char *psrc, int len
 	if ((device->pos + len) >= device->length) {
 		/* reallocate buffer */
 		int newlen = device->length + len + MBFL_MEMORY_DEVICE_ALLOC_SIZE;
+		if (newlen <= 0) {
+			/* overflow */
+			return -1;
+		}
 		unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)device->buffer, newlen*sizeof(unsigned char));
 		if (tmp == NULL) {
 			return -1;
@@ -281,6 +301,10 @@ mbfl_memory_device_devcat(mbfl_memory_device *dest, mbfl_memory_device *src)
 	if ((dest->pos + src->pos) >= dest->length) {
 		/* reallocate buffer */
 		int newlen = dest->length + src->pos + MBFL_MEMORY_DEVICE_ALLOC_SIZE;
+		if (newlen <= 0) {
+			/* overflow */
+			return -1;
+		}
 		unsigned char *tmp = (unsigned char *)mbfl_realloc((void *)dest->buffer, newlen*sizeof(unsigned char));
 		if (tmp == NULL) {
 			return -1;
@@ -336,6 +360,10 @@ mbfl_wchar_device_output(int c, void *data)
 		unsigned int *tmp;
 
 		newlen = device->length + device->allocsz;
+		if (newlen <= 0) {
+			/* overflow */
+			return -1;
+		}
 		tmp = (unsigned int *)mbfl_realloc((void *)device->buffer, newlen*sizeof(int));
 		if (tmp == NULL) {
 			return -1;

ext/standard/string.c

@@ -20,8 +20,6 @@
 
 /* $Id$ */
 
-/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
-
 #include <stdio.h>
 #include "php.h"
 #include "php_rand.h"