php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-27 01:32:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-5.4'

Browse Source 
* PHP-5.4:
  Fix potential integer overflow in nl2br
  Fix potential integer overflow in bin2hex
This commit is contained in:
Nikita Popov
2012-07-05 21:00:16 +02:00
parent 3b104785c0 5cf2f87fa7
commit ed54357fcd
1 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
ext/standard/string.c
View File

@@ -131,8 +131,8 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t *
register unsigned char *result = NULL;
size_t i, j;
result = (unsigned char *) safe_emalloc(oldlen * 2, sizeof(char), 1);
result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1);
for (i = j = 0; i < oldlen; i++) {
result[j++] = hexconvtab[old[i] >> 4];
result[j++] = hexconvtab[old[i] & 15];
@@ -4029,13 +4029,12 @@ PHP_FUNCTION(nl2br)
RETURN_STRINGL(str, str_len, 1);
}
if (is_xhtml) {
new_length = str_len + repl_cnt * (sizeof("<br />") - 1);
} else {
new_length = str_len + repl_cnt * (sizeof("<br>") - 1);
}
{
size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);
tmp = target = emalloc(new_length + 1);
new_length = str_len + repl_cnt * repl_len;
tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1);
}
while (str < end) {
switch (*str) {