Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:sjcundy:Programming
php5
php-5.2.5-CVE-2008-1384.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.2.5-CVE-2008-1384.patch of Package php5
Index: ext/standard/formatted_print.c =================================================================== RCS file: /repository/php-src/ext/standard/formatted_print.c,v retrieving revision 1.82.2.1.2.17 retrieving revision 1.82.2.1.2.19 diff -u -p -r1.82.2.1.2.17 -r1.82.2.1.2.19 --- ext/standard/formatted_print.c 4 Oct 2007 13:31:11 -0000 1.82.2.1.2.17 +++ ext/standard/formatted_print.c 17 Mar 2008 23:00:41 -0000 1.82.2.1.2.19 @@ -2,7 +2,7 @@ +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2007 The PHP Group | + | Copyright (c) 1997-2008 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: formatted_print.c,v 1.82.2.1.2.17 2007/10/04 13:31:11 jani Exp $ */ +/* $Id: formatted_print.c,v 1.82.2.1.2.19 2008/03/17 23:00:41 stas Exp $ */ #include <math.h> /* modf() */ #include "php.h" @@ -76,6 +76,7 @@ php_sprintf_appendstring(char **buffer, register int npad; int req_size; int copy_len; + int m_width; copy_len = (expprec ? MIN(max_width, len) : len); npad = min_width - copy_len; @@ -86,11 +87,19 @@ php_sprintf_appendstring(char **buffer, PRINTF_DEBUG(("sprintf: appendstring(%x, %d, %d, \"%s\", %d, '%c', %d)\n", *buffer, *pos, *size, add, min_width, padding, alignment)); + m_width = MAX(min_width, copy_len); - req_size = *pos + MAX(min_width, copy_len) + 1; + if(m_width > INT_MAX - *pos - 1) { + zend_error_noreturn(E_ERROR, "Field width %d is too long", m_width); + } + + req_size = *pos + m_width + 1; if (req_size > *size) { while (req_size > *size) { + if(*size > INT_MAX/2) { + zend_error_noreturn(E_ERROR, "Field width %d is too long", req_size); + } *size <<= 1; } PRINTF_DEBUG(("sprintf ereallocing buffer to %d bytes\n", *size));
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor