Skip to content

Commit 8bc8994

Browse files
smalyshevsmalyshev
committed
Merge branch 'PHP-7.0'
* PHP-7.0: Use safe alloc functions when calculations are made on sizes.
2 parents af7174f + 88bd7cb commit 8bc8994

File tree

1 file changed

+26
-14
lines changed

1 file changed

+26
-14
lines changed

ext/standard/string.c

Lines changed: 26 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -998,12 +998,12 @@ PHP_FUNCTION(wordwrap)
998998
/* Multiple character line break or forced cut */
999999
if (linelength > 0) {
10001000
chk = (size_t)(ZSTR_LEN(text)/linelength + 1);
1001-
newtext = zend_string_alloc(chk * breakchar_len + ZSTR_LEN(text), 0);
1001+
newtext = zend_string_safe_alloc(chk, breakchar_len, ZSTR_LEN(text), 0);
10021002
alloced = ZSTR_LEN(text) + chk * breakchar_len + 1;
10031003
} else {
10041004
chk = ZSTR_LEN(text);
10051005
alloced = ZSTR_LEN(text) * (breakchar_len + 1) + 1;
1006-
newtext = zend_string_alloc(ZSTR_LEN(text) * (breakchar_len + 1), 0);
1006+
newtext = zend_string_safe_alloc(ZSTR_LEN(text), breakchar_len + 1, 0, 0);
10071007
}
10081008

10091009
/* now keep track of the actual new text length */
@@ -1245,8 +1245,8 @@ PHPAPI void php_implode(const zend_string *delim, zval *arr, zval *return_value)
12451245
len += ZSTR_LEN(*strptr);
12461246
}
12471247
} ZEND_HASH_FOREACH_END();
1248-
1249-
str = zend_string_alloc(len + (numelems - 1) * ZSTR_LEN(delim), 0);
1248+
/* numelems can not be 0, we checked above */
1249+
str = zend_string_safe_alloc(numelems - 1, ZSTR_LEN(delim), len, 0);
12501250
cptr = ZSTR_VAL(str) + ZSTR_LEN(str);
12511251
*cptr = 0;
12521252

@@ -2344,7 +2344,7 @@ PHP_FUNCTION(chunk_split)
23442344

23452345
if ((size_t)chunklen > ZSTR_LEN(str)) {
23462346
/* to maintain BC, we must return original string + ending */
2347-
result = zend_string_alloc(endlen + ZSTR_LEN(str), 0);
2347+
result = zend_string_safe_alloc(ZSTR_LEN(str), 1, endlen, 0);
23482348
memcpy(ZSTR_VAL(result), ZSTR_VAL(str), ZSTR_LEN(str));
23492349
memcpy(ZSTR_VAL(result) + ZSTR_LEN(str), end, endlen);
23502350
ZSTR_VAL(result)[ZSTR_LEN(result)] = '\0';
@@ -2710,7 +2710,7 @@ PHP_FUNCTION(quotemeta)
27102710
RETURN_FALSE;
27112711
}
27122712

2713-
str = zend_string_alloc(2 * ZSTR_LEN(old), 0);
2713+
str = zend_string_safe_alloc(2, ZSTR_LEN(old), 0, 0);
27142714

27152715
for (p = ZSTR_VAL(old), q = ZSTR_VAL(str); p != old_end; p++) {
27162716
c = *p;
@@ -3231,7 +3231,11 @@ static zend_string *php_str_to_str_ex(zend_string *haystack,
32313231
/* Needle doesn't occur, shortcircuit the actual replacement. */
32323232
goto nothing_todo;
32333233
}
3234-
new_str = zend_string_alloc(count * (str_len - needle_len) + ZSTR_LEN(haystack), 0);
3234+
if (str_len > needle_len) {
3235+
new_str = zend_string_safe_alloc(count, str_len - needle_len, ZSTR_LEN(haystack), 0);
3236+
} else {
3237+
new_str = zend_string_alloc(count * (str_len - needle_len) + ZSTR_LEN(haystack), 0);
3238+
}
32353239

32363240
e = s = ZSTR_VAL(new_str);
32373241
end = ZSTR_VAL(haystack) + ZSTR_LEN(haystack);
@@ -3308,8 +3312,12 @@ static zend_string *php_str_to_str_i_ex(zend_string *haystack, char *lc_haystack
33083312
zend_string_release(lc_needle);
33093313
goto nothing_todo;
33103314
}
3311-
3312-
new_str = zend_string_alloc(count * (str_len - ZSTR_LEN(lc_needle)) + ZSTR_LEN(haystack), 0);
3315+
3316+
if (str_len > ZSTR_LEN(lc_needle)) {
3317+
new_str = zend_string_safe_alloc(count, str_len - ZSTR_LEN(lc_needle), ZSTR_LEN(haystack), 0);
3318+
} else {
3319+
new_str = zend_string_alloc(count * (str_len - ZSTR_LEN(lc_needle)) + ZSTR_LEN(haystack), 0);
3320+
}
33133321

33143322
e = s = ZSTR_VAL(new_str);
33153323
end = lc_haystack + ZSTR_LEN(haystack);
@@ -3387,7 +3395,11 @@ PHPAPI zend_string *php_str_to_str(char *haystack, size_t length, char *needle,
33873395
new_str = zend_string_init(haystack, length, 0);
33883396
return new_str;
33893397
} else {
3390-
new_str = zend_string_alloc(count * (str_len - needle_len) + length, 0);
3398+
if (str_len > needle_len) {
3399+
new_str = zend_string_safe_alloc(count, str_len - needle_len, length, 0);
3400+
} else {
3401+
new_str = zend_string_alloc(count * (str_len - needle_len) + length, 0);
3402+
}
33913403
}
33923404
}
33933405

@@ -3815,7 +3827,7 @@ PHPAPI zend_string *php_addcslashes(zend_string *str, int should_free, char *wha
38153827
char *end;
38163828
char c;
38173829
size_t newlen;
3818-
zend_string *new_str = zend_string_alloc(4 * ZSTR_LEN(str), 0);
3830+
zend_string *new_str = zend_string_safe_alloc(4, ZSTR_LEN(str), 0, 0);
38193831

38203832
php_charmask((unsigned char *)what, wlength, flags);
38213833

@@ -3890,7 +3902,7 @@ PHPAPI zend_string *php_addslashes(zend_string *str, int should_free)
38903902

38913903
do_escape:
38923904
offset = source - (char *)ZSTR_VAL(str);
3893-
new_str = zend_string_alloc(offset + (2 * (ZSTR_LEN(str) - offset)), 0);
3905+
new_str = zend_string_safe_alloc(2, ZSTR_LEN(str) - offset, offset, 0);
38943906
memcpy(ZSTR_VAL(new_str), ZSTR_VAL(str), offset);
38953907
target = ZSTR_VAL(new_str) + offset;
38963908

@@ -4412,7 +4424,7 @@ PHP_FUNCTION(nl2br)
44124424
{
44134425
size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);
44144426

4415-
result = zend_string_alloc(repl_cnt * repl_len + ZSTR_LEN(str), 0);
4427+
result = zend_string_safe_alloc(repl_cnt, repl_len, ZSTR_LEN(str), 0);
44164428
target = ZSTR_VAL(result);
44174429
}
44184430

@@ -5596,7 +5608,7 @@ PHP_FUNCTION(money_format)
55965608
}
55975609
}
55985610

5599-
str = zend_string_alloc(format_len + 1024, 0);
5611+
str = zend_string_safe_alloc(format_len, 1, 1024, 0);
56005612
if ((res_len = strfmon(ZSTR_VAL(str), ZSTR_LEN(str), format, value)) < 0) {
56015613
zend_string_free(str);
56025614
RETURN_FALSE;

0 commit comments

Comments
 (0)