Skip to content

Commit

Permalink
Fix integer overflow in chunk_split
Browse files Browse the repository at this point in the history 
Reviewed By: @ptarjan

Differential Revision: D1515947
  • Loading branch information
@FBNeal @hhvm-bot
FBNeal authored and hhvm-bot committed Aug 26, 2014
1 parent 30dff9f commit 1f91e07
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 2 deletions.
10 changes: 8 additions & 2 deletions hphp/runtime/base/zend-string.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -626,8 +626,14 @@ String string_chunk_split(const char *src, int srclen, const char *end,
int chunks = srclen / chunklen; // complete chunks!
int restlen = srclen - chunks * chunklen; /* srclen % chunklen */

int out_len = (chunks + 1) * endlen + srclen;
String ret(out_len, ReserveString);
String ret(
safe_address(
chunks + 1,
endlen,
srclen
),
ReserveString
);
char *dest = ret.bufferSlice().ptr;

const char *p; char *q;
Expand Down
3 changes: 3 additions & 0 deletions hphp/test/slow/ext_string/chunk_split_overflow.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<?php

chunk_split(str_repeat('*', 2000000), 1.0, str_repeat('*', 2000000));
2 changes: 2 additions & 0 deletions hphp/test/slow/ext_string/chunk_split_overflow.php.expectf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@

Fatal error: String length exceeded 2^31-2: 4000004000000 in %s on line 3

1 comment on commit 1f91e07

@FBNeal
Copy link
Contributor Author

@FBNeal FBNeal commented on 1f91e07 Sep 4, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This issue has been assigned CVE-2014-6228

Please sign in to comment.