Skip to content

Commit 6c5211a

Browse files
committed
Fix bug #72455: Heap Overflow due to integer overflows
1 parent f6aef68 commit 6c5211a

File tree

1 file changed

+8
-0
lines changed

1 file changed

+8
-0
lines changed

Diff for: ext/mcrypt/mcrypt.c

+8
Original file line numberDiff line numberDiff line change
@@ -692,6 +692,10 @@ PHP_FUNCTION(mcrypt_generic)
692692
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
693693
block_size = mcrypt_enc_get_block_size(pm->td);
694694
data_size = (((data_len - 1) / block_size) + 1) * block_size;
695+
if (data_size <= 0) {
696+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
697+
RETURN_FALSE;
698+
}
695699
data_s = emalloc(data_size + 1);
696700
memset(data_s, 0, data_size);
697701
memcpy(data_s, data, data_len);
@@ -737,6 +741,10 @@ PHP_FUNCTION(mdecrypt_generic)
737741
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
738742
block_size = mcrypt_enc_get_block_size(pm->td);
739743
data_size = (((data_len - 1) / block_size) + 1) * block_size;
744+
if (data_size <= 0) {
745+
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
746+
RETURN_FALSE;
747+
}
740748
data_s = emalloc(data_size + 1);
741749
memset(data_s, 0, data_size);
742750
memcpy(data_s, data, data_len);

0 commit comments

Comments
 (0)