iliaa Wed Feb 25 17:10:10 2004 EDT
Modified files:
/php-src/ext/sockets sockets.c
Log:
Fixed bug #21760 (Use of uninitialized pointer inside php_read()).
Fixed 3 possible crashes due to integer overflow or invalid user input
inside the sockets extension.
http://cvs.php.net/diff.php/php-src/ext/sockets/sockets.c?r1=1.158&r2=1.159&ty=u
Index: php-src/ext/sockets/sockets.c
diff -u php-src/ext/sockets/sockets.c:1.158 php-src/ext/sockets/sockets.c:1.159
--- php-src/ext/sockets/sockets.c:1.158 Thu Jan 8 03:17:27 2004
+++ php-src/ext/sockets/sockets.c Wed Feb 25 17:10:09 2004
@@ -19,7 +19,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: sockets.c,v 1.158 2004/01/08 08:17:27 andi Exp $ */
+/* $Id: sockets.c,v 1.159 2004/02/25 22:10:09 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -266,6 +266,7 @@
set_errno(0);
+ *t = '\0';
while (*t != '\n' && *t != '\r' && n < maxlen) {
if (m > 0) {
t++;
@@ -828,6 +829,11 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|l", &arg1, &length,
&type) == FAILURE)
return;
+ /* overflow check */
+ if ((length + 1) < 2) {
+ RETURN_FALSE;
+ }
+
tmpbuf = emalloc(length + 1);
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name,
le_socket);
@@ -1225,6 +1231,11 @@
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &php_sock_res, -1, le_socket_name,
le_socket);
+ /* overflow check */
+ if ((len + 1) < 2) {
+ RETURN_FALSE;
+ }
+
recv_buf = emalloc(len + 1);
memset(recv_buf, 0, len + 1);
@@ -1301,6 +1312,11 @@
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name,
le_socket);
+ /* overflow check */
+ if ((arg3 + 2) < 3) {
+ RETURN_FALSE;
+ }
+
recv_buf = emalloc(arg3 + 2);
memset(recv_buf, 0, arg3 + 2);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
