You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

34 lines
1.2 KiB

Index: php5-5.4.45/ext/standard/file.c
===================================================================
--- php5-5.4.45.orig/ext/standard/file.c 2016-06-19 11:37:18.000000000 +0200
+++ php5-5.4.45/ext/standard/file.c 2016-06-19 11:37:18.000000000 +0200
@@ -1752,6 +1752,12 @@
RETURN_FALSE;
}
+ if (len > INT_MAX) {
+ /* string length is int in 5.x so we can not read more than int */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
+ RETURN_FALSE;
+ }
+
Z_STRVAL_P(return_value) = emalloc(len + 1);
Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
Index: php5-5.4.45/ext/standard/tests/file/bug72114.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/standard/tests/file/bug72114.phpt 2016-06-19 11:37:18.000000000 +0200
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
+--FILE--
+<?php
+ini_set('memory_limit', "2500M");
+$fp = fopen("/dev/zero", "r");
+fread($fp, 2147483648);
+?>
+Done
+--EXPECTF--
+Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
+Done