Skip to content

Commit ff23286

Browse files
authored
Size is always one in curl functions (#22733)
Assert and take advantage of that size is always 1. This is also documented in [the curl docs](https://curl.se/libcurl/c/CURLOPT_READFUNCTION.html). So there is no need to multiply with size, so this can be removed. I started this to see whether size * nmemb can overflow. This makes it clear that it cannot.
1 parent 583403a commit ff23286

1 file changed

Lines changed: 10 additions & 4 deletions

File tree

ext/curl/interface.c

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -522,9 +522,11 @@ PHP_MSHUTDOWN_FUNCTION(curl)
522522
/* {{{ curl_write */
523523
static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx)
524524
{
525+
ZEND_ASSERT(size == 1);
526+
525527
php_curl *ch = (php_curl *) ctx;
526528
php_curl_write *write_handler = ch->handlers.write;
527-
size_t length = size * nmemb;
529+
size_t length = nmemb;
528530

529531
#if PHP_CURL_DEBUG
530532
fprintf(stderr, "curl_write() called\n");
@@ -786,6 +788,8 @@ static int curl_ssh_hostkeyfunction(void *clientp, int keytype, const char *key,
786788
/* {{{ curl_read */
787789
static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx)
788790
{
791+
ZEND_ASSERT(size == 1);
792+
789793
php_curl *ch = (php_curl *)ctx;
790794
php_curl_read *read_handler = ch->handlers.read;
791795
size_t length = 0;
@@ -808,15 +812,15 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx)
808812
} else {
809813
ZVAL_NULL(&argv[1]);
810814
}
811-
ZVAL_LONG(&argv[2], (int)size * nmemb);
815+
ZVAL_LONG(&argv[2], (zend_long) nmemb);
812816

813817
ch->in_callback = true;
814818
zend_call_known_fcc(&read_handler->fcc, &retval, /* param_count */ 3, argv, /* named_params */ NULL);
815819
ch->in_callback = false;
816820
if (!Z_ISUNDEF(retval)) {
817821
_php_curl_verify_handlers(ch, /* reporterror */ true);
818822
if (Z_TYPE(retval) == IS_STRING) {
819-
length = MIN(size * nmemb, Z_STRLEN(retval));
823+
length = MIN(nmemb, Z_STRLEN(retval));
820824
memcpy(data, Z_STRVAL(retval), length);
821825
} else if (Z_TYPE(retval) == IS_LONG) {
822826
length = Z_LVAL_P(&retval);
@@ -884,9 +888,11 @@ static int curl_seek(void *clientp, curl_off_t offset, int origin)
884888
/* {{{ curl_write_header */
885889
static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx)
886890
{
891+
ZEND_ASSERT(size == 1);
892+
887893
php_curl *ch = (php_curl *) ctx;
888894
php_curl_write *write_handler = ch->handlers.write_header;
889-
size_t length = size * nmemb;
895+
size_t length = nmemb;
890896

891897
switch (write_handler->method) {
892898
case PHP_CURL_STDOUT:

0 commit comments

Comments
 (0)