Overview

File php-5.2.5-CVE-2008-1384.patch of Package php5

Index: ext/standard/formatted_print.c
===================================================================
RCS file: /repository/php-src/ext/standard/formatted_print.c,v
retrieving revision 1.82.2.1.2.17
retrieving revision 1.82.2.1.2.19
diff -u -p -r1.82.2.1.2.17 -r1.82.2.1.2.19
--- ext/standard/formatted_print.c	4 Oct 2007 13:31:11 -0000	1.82.2.1.2.17
+++ ext/standard/formatted_print.c	17 Mar 2008 23:00:41 -0000	1.82.2.1.2.19
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | PHP Version 5                                                        |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1997-2007 The PHP Group                                |
+   | Copyright (c) 1997-2008 The PHP Group                                |
    +----------------------------------------------------------------------+
    | This source file is subject to version 3.01 of the PHP license,      |
    | that is bundled with this package in the file LICENSE, and is        |
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: formatted_print.c,v 1.82.2.1.2.17 2007/10/04 13:31:11 jani Exp $ */
+/* $Id: formatted_print.c,v 1.82.2.1.2.19 2008/03/17 23:00:41 stas Exp $ */
 
 #include <math.h>				/* modf() */
 #include "php.h"
@@ -76,6 +76,7 @@ php_sprintf_appendstring(char **buffer, 
 	register int npad;
 	int req_size;
 	int copy_len;
+	int m_width;
 
 	copy_len = (expprec ? MIN(max_width, len) : len);
 	npad = min_width - copy_len;
@@ -86,11 +87,19 @@ php_sprintf_appendstring(char **buffer, 
 	
 	PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n",
 				  *buffer, *pos, *size, add, min_width, padding, alignment));
+	m_width = MAX(min_width, copy_len);
 
-	req_size = *pos + MAX(min_width, copy_len) + 1;
+	if(m_width > INT_MAX - *pos - 1) {
+		zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width);
+	}
+
+	req_size = *pos + m_width + 1;
 
 	if (req_size > *size) {
 		while (req_size > *size) {
+			if(*size > INT_MAX/2) {
+				zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size); 
+			}
 			*size <<= 1;
 		}
 		PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
openSUSE Build Service is sponsored by
Places