You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

46 lines
1.2 KiB

From 05255749139b3686c8a6a58ee01131ac0047465e Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 20 Jun 2017 00:09:01 -0700
Subject: [PATCH] Fix bug #74603 - use correct buffer size
---
Zend/tests/bug74603.ini | 1 +
Zend/tests/bug74603.phpt | 15 +++++++++++++++
Zend/zend_ini_parser.y | 2 +-
3 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644 Zend/tests/bug74603.ini
create mode 100644 Zend/tests/bug74603.phpt
--- /dev/null
+++ b/Zend/tests/bug74603.ini
@@ -0,0 +1 @@
+0=0&~2000000000
--- /dev/null
+++ b/Zend/tests/bug74603.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability)
+--SKIPIF--
+<?php
+if (PHP_INT_MAX !== 2147483647)
+ die('skip for 32-bit only');
+--FILE--
+<?php
+var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL));
+?>
+--EXPECT--
+array(1) {
+ [0]=>
+ string(1) "0"
+}
--- a/Zend/zend_ini_parser.y
+++ b/Zend/zend_ini_parser.y
@@ -49,7 +49,7 @@ static void zend_ini_do_op(char type, zv
{
int i_result;
int i_op1, i_op2;
- char str_result[MAX_LENGTH_OF_LONG];
+ char str_result[MAX_LENGTH_OF_LONG+1];
i_op1 = atoi(Z_STRVAL_P(op1));
free(Z_STRVAL_P(op1));