More string length checks & fixes

Author: smalyshev

ext/bz2/bz2.c

@@ -513,7 +513,7 @@ static PHP_FUNCTION(bzcompress)
 	dest_len   = (unsigned int) (source_len + (0.01 * source_len) + 600);
 
 	/* Allocate the destination buffer */
-	dest = emalloc(dest_len + 1);
+	dest = safe_emalloc(dest_len, 1, 1);
 
 	/* Handle the optional arguments */
 	if (argc > 1) {

ext/iconv/iconv.c

@@ -2491,7 +2491,7 @@ PHP_NAMED_FUNCTION(php_if_iconv)
 		&out_buffer, &out_len, out_charset, in_charset);
 	_php_iconv_show_error(err, out_charset, in_charset TSRMLS_CC);
 	if (err == PHP_ICONV_ERR_SUCCESS && out_buffer != NULL) {
-		RETVAL_STRINGL(out_buffer, out_len, 0);
+		RETVAL_STRINGL_CHECK(out_buffer, out_len, 0);
 	} else {
 		if (out_buffer != NULL) {
 			efree(out_buffer);

ext/imap/php_imap.c

@@ -3916,7 +3916,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
 #define PHP_IMAP_CLEAN	if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
 #define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
 
-	bufferHeader = (char *)emalloc(bufferLen + 1);
+	bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1);
 	memset(bufferHeader, 0, bufferLen);
 	if (to && *to) {
 		strlcat(bufferHeader, "To: ", bufferLen + 1);

ext/intl/breakiterator/breakiterator_iterators.cpp

@@ -182,7 +182,7 @@ static void _breakiterator_parts_move_forward(zend_object_iterator *iter TSRMLS_
 	}
 	assert(next <= slen && next >= cur);
 	len = next - cur;
-	res = static_cast<char*>(emalloc(len + 1));
+	res = static_cast<char*>(safe_emalloc(len, 1, 1));
 
 	memcpy(res, &s[cur], len);
 	res[len] = '\0';

ext/intl/intl_convert.c

@@ -49,7 +49,7 @@ void intl_convert_utf8_to_utf16(
 	UErrorCode* status )
 {
 	UChar*      dst_buf = NULL;
-	int32_t     dst_len = 0;
+	uint32_t    dst_len = 0;
 
 	/* If *target is NULL determine required destination buffer size (pre-flighting).
 	 * Otherwise, attempt to convert source string; if *target buffer is not large enough

ext/intl/locale/locale_methods.c

@@ -263,6 +263,9 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
 	int32_t     	buflen          = 512;
 	UErrorCode  	status          = U_ZERO_ERROR;
 
+	if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {
+		return NULL;
+	}
 
 	if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
 		/* Handle  grandfathered languages */
@@ -395,7 +398,7 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
 	if(loc_name_len == 0) {
 		loc_name = intl_locale_get_default(TSRMLS_C);
 	}
-	
+
 	INTL_CHECK_LOCALE_LEN(strlen(loc_name));
 
 	/* Call ICU get */
@@ -702,6 +705,8 @@ PHP_FUNCTION( locale_get_keywords )
         RETURN_FALSE;
     }
 
+	INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
     if(loc_name_len == 0) {
         loc_name = intl_locale_get_default(TSRMLS_C);
     }
@@ -1109,6 +1114,8 @@ PHP_FUNCTION(locale_parse)
         RETURN_FALSE;
     }
 
+    INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
     if(loc_name_len == 0) {
         loc_name = intl_locale_get_default(TSRMLS_C);
     }

ext/intl/msgformat/msgformat_data.c

@@ -80,10 +80,10 @@ msgformat_data* msgformat_data_create( TSRMLS_D )
 /* }}} */
 
 #ifdef MSG_FORMAT_QUOTE_APOS
-int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec) 
+int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
 {
 	if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
-		UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1));
+		UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar));
 		uint32_t npattern_len;
 		npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
 		efree(*spattern);

ext/standard/exec.c

@@ -133,7 +133,7 @@ PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value TSRMLS_
 
 	if (type != 3) {
 		b = buf;
-		
+
 		while (php_stream_get_line(stream, b, EXEC_INPUT_BUF, &bufl)) {
 			/* no new line found, let's read some more */
 			if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) {
@@ -330,7 +330,7 @@ PHPAPI char *php_escape_shell_cmd(char *str)
 				cmd[y++] = str[x];
 				break;
 #else
-			/* % is Windows specific for enviromental variables, ^%PATH% will 
+			/* % is Windows specific for enviromental variables, ^%PATH% will
 				output PATH while ^%PATH^% will not. escapeshellcmd will escape all % and !.
 			*/
 			case '%':
@@ -492,7 +492,7 @@ PHP_FUNCTION(escapeshellcmd)
 			return;
 		}
 		cmd = php_escape_shell_cmd(command);
-		RETVAL_STRING(cmd, 0);
+		RETVAL_STRINGL_CHECK(cmd, strlen(cmd), 0);
 	} else {
 		RETVAL_EMPTY_STRING();
 	}
@@ -517,7 +517,7 @@ PHP_FUNCTION(escapeshellarg)
 			return;
 		}
 		cmd = php_escape_shell_arg(argument);
-		RETVAL_STRING(cmd, 0);
+		RETVAL_STRINGL_CHECK(cmd, strlen(cmd), 0);
 	}
 }
 /* }}} */
@@ -551,7 +551,7 @@ PHP_FUNCTION(shell_exec)
 	php_stream_close(stream);
 
 	if (total_readbytes > 0) {
-		RETVAL_STRINGL(ret, total_readbytes, 0);
+		RETVAL_STRINGL_CHECK(ret, total_readbytes, 0);
 	}
 }
 /* }}} */

ext/standard/php_smart_str.h

@@ -57,7 +57,8 @@
 		newlen = (n);												\
 		(d)->a = newlen < SMART_STR_START_SIZE 						\
 				? SMART_STR_START_SIZE 								\
-				: newlen + SMART_STR_PREALLOC;						\
+				: (newlen >= (INT_MAX - SMART_STR_PREALLOC)? newlen \
+							: (newlen + SMART_STR_PREALLOC));		\
 		SMART_STR_DO_REALLOC(d, what);								\
 	} else {														\
 		newlen = (d)->len + (n);									\

ext/standard/string.c

@@ -908,11 +908,7 @@ PHP_FUNCTION(wordwrap)
 		RETURN_FALSE;
 	}
 
-	if (linelength < 0) {
-		/* For BC */
-		linelength = 0;
-	}
-	if (linelength > INT_MAX) {
+	if (linelength < 0 || linelength > INT_MAX) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be between 0 and %d", INT_MAX);
 		RETURN_FALSE;
 	}