Fix bug #72114 - int/size_t confusion in fread

Author: smalyshev

ext/standard/file.c

@@ -1758,6 +1758,12 @@ PHPAPI PHP_FUNCTION(fread)
 		RETURN_FALSE;
 	}
 
+	if (len > INT_MAX) {
+		/* string length is int in 5.x so we can not read more than int */
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
+		RETURN_FALSE;
+	}
+
 	Z_STRVAL_P(return_value) = emalloc(len + 1);
 	Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
 

ext/standard/tests/file/bug72114.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
+--FILE--
+<?php
+ini_set('memory_limit', "2500M");
+$fp = fopen("/dev/zero", "r");
+fread($fp, 2147483648);
+?>
+Done
+--EXPECTF--
+Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
+Done