tony2001 Wed Feb 15 11:16:56 2006 UTC Modified files: (Branch: PHP_5_0) /php-src/sapi/isapi php5isapi.c Log: MF51: fix memory leak and possible invalid reads http://cvs.php.net/viewcvs.cgi/php-src/sapi/isapi/php5isapi.c?r1=1.3.2.3&r2=1.3.2.4&diff_format=u Index: php-src/sapi/isapi/php5isapi.c diff -u php-src/sapi/isapi/php5isapi.c:1.3.2.3 php-src/sapi/isapi/php5isapi.c:1.3.2.4 --- php-src/sapi/isapi/php5isapi.c:1.3.2.3 Sun Apr 17 03:39:14 2005 +++ php-src/sapi/isapi/php5isapi.c Wed Feb 15 11:16:56 2006 @@ -16,7 +16,7 @@ | Ben Mansell <[EMAIL PROTECTED]> (Zeus Support) | +----------------------------------------------------------------------+ */ -/* $Id: php5isapi.c,v 1.3.2.3 2005/04/17 03:39:14 sniper Exp $ */ +/* $Id: php5isapi.c,v 1.3.2.4 2006/02/15 11:16:56 tony2001 Exp $ */ #include "php.h" #include <httpext.h> @@ -279,14 +279,18 @@ break; default: { const char *sline = SG(sapi_headers).http_status_line; - - status_buf = emalloc(MAX_STATUS_LENGTH + 1); + int sline_len; /* httpd requires that r->status_line is set to the first digit of * the status-code: */ - if (sline && strlen(sline) > 12 && strncmp(sline, "HTTP/1.", 7) == 0 && sline[8] == ' ') { - status_buf = estrndup(sline + 9, MAX_STATUS_LENGTH); + if (sline && ((sline_len = strlen(sline)) > 12) && strncmp(sline, "HTTP/1.", 7) == 0 && sline[8] == ' ') { + if ((sline_len - 9) > MAX_STATUS_LENGTH) { + status_buf = estrndup(sline + 9, MAX_STATUS_LENGTH); + } else { + status_buf = estrndup(sline + 9, sline_len - 9); + } } else { + status_buf = emalloc(MAX_STATUS_LENGTH + 1); snprintf(status_buf, MAX_STATUS_LENGTH, "%d Undescribed", SG(sapi_headers).http_response_code); } header_info.pszStatus = status_buf; @@ -302,9 +306,9 @@ lpECB->ServerSupportFunction(lpECB->ConnID, HSE_REQ_SEND_RESPONSE_HEADER_EX, &header_info, NULL, NULL); efree(combined_headers); - if (status_buf) { + if (status_buf) { efree(status_buf); - } + } return SAPI_HEADER_SENT_SUCCESSFULLY; }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php