Fix bug #74603 - use correct buffer size

smalyshev · smalyshev · commit 5f8380d33e64 · 2017-07-04T19:00:03.000-07:00
diff --git a/Zend/tests/bug74603.ini b/Zend/tests/bug74603.ini
@@ -0,0 +1 @@
+0=0&~2000000000
diff --git a/Zend/tests/bug74603.phpt b/Zend/tests/bug74603.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability)
+--SKIPIF--
+<?php
+if (PHP_INT_MAX !== 2147483647)
+        die('skip for 32-bit only');
+--FILE--
+<?php
+var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(1) "0"
+}
diff --git a/Zend/zend_ini_parser.y b/Zend/zend_ini_parser.y
@@ -53,7 +53,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
 {
 	int i_result;
 	int i_op1, i_op2;
-	char str_result[MAX_LENGTH_OF_LONG];
+	char str_result[MAX_LENGTH_OF_LONG+1];
 
 	i_op1 = atoi(Z_STRVAL_P(op1));
 	free(Z_STRVAL_P(op1));

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ static void zend_ini_do_op(char type, zval result, zval op1, zval *op2)`
`53`	`53`	`{`
`54`	`54`	`int i_result;`
`55`	`55`	`int i_op1, i_op2;`
`56`		`- char str_result[MAX_LENGTH_OF_LONG];`
	`56`	`+ char str_result[MAX_LENGTH_OF_LONG+1];`
`57`	`57`
`58`	`58`	`i_op1 = atoi(Z_STRVAL_P(op1));`
`59`	`59`	`free(Z_STRVAL_P(op1));`