Permalink
Browse files

[Security] memcpy negative parameter _bc_new_num_ex

  • Loading branch information...
fredemmott committed Dec 18, 2017
1 parent 9de2e69 commit bc4a1a8663f45b3a776f8f4102aa17cd4c587539
Showing with 11 additions and 3 deletions.
  1. +11 −3 hphp/runtime/ext/bcmath/init.c
@@ -35,6 +35,7 @@
#include <stdlib.h>
#include <ctype.h>
#include <stdarg.h>
#include <limits.h>
#include "bcmath.h"
#include "private.h"
@@ -50,7 +51,15 @@ _bc_new_num_ex (length, scale, persistent)
{
bc_num temp;
temp = (bc_num)malloc(sizeof(bc_struct)+length + scale);
assert(length >= 0);
assert(scale >= 0);
size_t malloc_size = sizeof(bc_struct) + (size_t)length + (size_t)scale;
if (malloc_size > INT_MAX) {
bc_out_of_memory();
}
temp = (bc_num)malloc(malloc_size);
if (temp == NULL) bc_out_of_memory();
#if 0
if (_bc_Free_list != NULL) {
temp = _bc_Free_list;
@@ -67,7 +76,7 @@ _bc_new_num_ex (length, scale, persistent)
temp->n_ptr = (char *)malloc(length + scale);
if (temp->n_ptr == NULL) bc_out_of_memory();
temp->n_value = temp->n_ptr;
memset(temp->n_ptr, 0, length+scale);
memset(temp->n_ptr, 0, length + scale);
return temp;
}
@@ -126,4 +135,3 @@ bc_init_num (bc_num *num TSRMLS_DC)
{
*num = bc_copy_num (BCG(_zero_));
}

0 comments on commit bc4a1a8

Please sign in to comment.