possible integer overflow in content

possible integer overflow in content_length

Bug #60205	possible integer overflow in content_length
Submitted:	2011-11-03 07:04 UTC	Modified:	2011-11-03 07:26 UTC
From:	laruence@php.net	Assigned:	laruence (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.3.8	OS:
Private report:	No	CVE-ID:	None

[2011-11-03 07:04 UTC] laruence@php.net

Description:
------------
in php_apache_request_ctor (sapi/apache2handler/sapi_apache2.c)

	SG(request_info).content_length = (content_length ? atoi(content_length) : 
0);


so when the content_length exceed INT_MAX,  the content_length will be a wrong 
value. 

Test script:
---------------
none

Expected result:
----------------
none

Actual result:
--------------
none

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-11-03 07:12 UTC] laruence@php.net

actullay this cause the upload progress(also apc, session upload progress) return 
wrong message when try to uploading   bigger than 4GB file in 64-bit OS.

change atoi to atol can make this more sense(long content_length in the 
request_info struct defination)

[2011-11-03 07:24 UTC] laruence@php.net

-Summary: possible interge overflow in content_length +Summary: possible integer overflow in content_length

[2011-11-03 07:26 UTC] laruence@php.net

-Status: Assigned +Status: Closed -Package: Apache2 related +Package: *General Issues