0
0
mirror of https://github.com/phpv8/v8js.git synced 2025-01-09 00:31:53 +00:00

check ArrayAccess offset/count against int max limits

This commit is contained in:
Stefan Siegl 2017-03-10 22:50:28 +01:00
parent 78807b6720
commit d69d8e9671

View File

@ -16,6 +16,7 @@
#include "php_v8js_macros.h" #include "php_v8js_macros.h"
#include "v8js_array_access.h" #include "v8js_array_access.h"
#include "v8js_exceptions.h"
#include "v8js_object_export.h" #include "v8js_object_export.h"
extern "C" { extern "C" {
@ -24,6 +25,7 @@ extern "C" {
#include "ext/standard/php_string.h" #include "ext/standard/php_string.h"
#include "zend_interfaces.h" #include "zend_interfaces.h"
#include "zend_closures.h" #include "zend_closures.h"
#include "zend_exceptions.h"
} }
static zval v8js_array_access_dispatch(zend_object *object, const char *method_name, int param_count, static zval v8js_array_access_dispatch(zend_object *object, const char *method_name, int param_count,
@ -123,8 +125,15 @@ static int v8js_array_access_get_count_result(zend_object *object TSRMLS_DC) /*
return 0; return 0;
} }
int result = Z_LVAL(php_value); zend_long result = Z_LVAL(php_value);
return result;
if (result > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Array size/offset exceeds maximum supported length", 0);
return 0;
}
return static_cast<int>(result);
} }
/* }}} */ /* }}} */