Edit report at http://bugs.php.net/bug.php?id=51002&edit=1
ID: 51002 Updated by: paj...@php.net Reported by: s...@php.net Summary: An int variable is used as size_t in child function -Status: Assigned +Status: Closed Type: Bug Package: Zip Related Operating System: * PHP Version: 5.3.2RC1 Assigned To: pajoye New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2010-02-12 17:10:15] j...@php.net There is no such OS called 'n/a'. ------------------------------------------------------------------------ [2010-02-10 20:12:23] johan...@php.net Assign to maintainer ------------------------------------------------------------------------ [2010-02-10 20:07:06] s...@php.net Description: ------------ In php_zip_add_from_pattern() a pointer to file_stripped_len is passed to php_based which treats the address as a size_t. If the size of int differs from the size of size_t then this could cause a memory access error. int entry_name_len,file_stripped_len; ... php_basename(Z_STRVAL_PP(zval_file), Z_STRLEN_PP(zval_file), NULL, 0, &basename, (size_t *)&file_stripped_len TSRMLS_CC) This is related to Rasmus's fix http://svn.php.net/viewvc?view=revision&revision=294816 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=51002&edit=1
