From d69d8e967160268bd45827d855f28308b47ceb84 Mon Sep 17 00:00:00 2001 From: Stefan Siegl Date: Fri, 10 Mar 2017 22:50:28 +0100 Subject: [PATCH] check ArrayAccess offset/count against int max limits --- v8js_array_access.cc | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/v8js_array_access.cc b/v8js_array_access.cc index 3419172..44bc024 100644 --- a/v8js_array_access.cc +++ b/v8js_array_access.cc @@ -16,6 +16,7 @@ #include "php_v8js_macros.h" #include "v8js_array_access.h" +#include "v8js_exceptions.h" #include "v8js_object_export.h" extern "C" { @@ -24,6 +25,7 @@ extern "C" { #include "ext/standard/php_string.h" #include "zend_interfaces.h" #include "zend_closures.h" +#include "zend_exceptions.h" } static zval v8js_array_access_dispatch(zend_object *object, const char *method_name, int param_count, @@ -123,8 +125,15 @@ static int v8js_array_access_get_count_result(zend_object *object TSRMLS_DC) /* return 0; } - int result = Z_LVAL(php_value); - return result; + zend_long result = Z_LVAL(php_value); + + if (result > std::numeric_limits::max()) { + zend_throw_exception(php_ce_v8js_exception, + "Array size/offset exceeds maximum supported length", 0); + return 0; + } + + return static_cast(result); } /* }}} */