|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-06-16 04:53 UTC] stas@php.net
-Assigned To:
+Assigned To: stas
[2016-06-16 04:53 UTC] stas@php.net
[2016-06-21 06:53 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-06-21 06:53 UTC] stas@php.net
[2016-07-06 16:03 UTC] php-e1b at deemzed dot uk
[2016-07-07 09:34 UTC] ab@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Oct 27 16:00:01 2025 UTC |
Description: ------------ ``` PHP_FUNCTION(nl2br) { /* in brief this inserts <br /> or <br> before matched regexp \n\r?|\r\n? */ char *tmp, *str; int new_length; char *end, *target; int repl_cnt = 0; int str_len; zend_bool is_xhtml = 1; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &is_xhtml) == FAILURE) { return; } ... { size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1); new_length = str_len + repl_cnt * repl_len; // ==> integer overflow ... RETURN_STRINGL(tmp, new_length, 0); ``` PoC: ``` <?php ini_set('memory_limit', -1); $str = nl2br(str_repeat("\n", 0xffffffff/14+1)); var_dump(strlen($str)); ?> Fix: checking new_length