Hello Antony, ok, i checked the code in full length and all is fine indeed :-)
best regards marcus Saturday, May 20, 2006, 3:07:57 PM, you wrote: > Hello Marcus. > What I did is basically backported this fix by Jani: > http://cvs.php.net/viewcvs.cgi/php-src/ext/wddx/wddx.c?r1=1.119.2.1&r2=1.119.2.2 > If you feel it's wrong - please fix it, though it works fine for me. > On 20.05.2006 02:35, Marcus Boerger wrote: >> Hello Antony, >> >> see inplace comments below >> >> best regards >> marcus >> >> Friday, May 19, 2006, 12:37:32 PM, you wrote: >> >>> tony2001 Fri May 19 10:37:32 2006 UTC >> >>> Modified files: (Branch: PHP_4_4) >>> /php-src/ext/wddx wddx.c >>> Log: >>> MFH fix for #34306 (wddx_serialize_value() crashes with long array keys) >>> >>> >>> http://cvs.php.net/viewcvs.cgi/php-src/ext/wddx/wddx.c?r1=1.96.2.6.2.4&r2=1.96.2.6.2.5&diff_format=u >>> Index: php-src/ext/wddx/wddx.c >>> diff -u php-src/ext/wddx/wddx.c:1.96.2.6.2.4 >>> php-src/ext/wddx/wddx.c:1.96.2.6.2.5 >>> --- php-src/ext/wddx/wddx.c:1.96.2.6.2.4 Sun Apr 23 16:02:37 2006 >>> +++ php-src/ext/wddx/wddx.c Fri May 19 10:37:32 2006 >>> @@ -16,7 +16,7 @@ >>> +----------------------------------------------------------------------+ >>> */ >>> >>> -/* $Id: wddx.c,v 1.96.2.6.2.4 2006/04/23 16:02:37 iliaa Exp $ */ >>> +/* $Id: wddx.c,v 1.96.2.6.2.5 2006/05/19 10:37:32 tony2001 Exp $ */ >>> >>> #ifdef HAVE_CONFIG_H >>> #include "config.h" >>> @@ -432,7 +432,7 @@ >>> tmp = *var; >>> zval_copy_ctor(&tmp); >>> convert_to_string(&tmp); >>> - sprintf(tmp_buf, WDDX_NUMBER, Z_STRVAL(tmp)); >>> + snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp)); >> >> >> *** This should most likely read sizeof(tmp_buf) *** >> >>> zval_dtor(&tmp); >>> >>> php_wddx_add_chunk(packet, tmp_buf); >>> @@ -624,17 +624,19 @@ >>> */ >>> void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, >>> int name_len TSRMLS_DC) >>> { >>> - char tmp_buf[WDDX_BUF_LEN]; >>> + char *tmp_buf; >>> char *name_esc; >>> int name_esc_len; >>> >>> if (name) { >>> name_esc = php_escape_html_entities(name, name_len, >>> &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC); >>> - sprintf(tmp_buf, WDDX_VAR_S, name_esc); >>> + tmp_buf = emalloc(name_esc_len + 1); >>> + snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc); >> >> *** This should also most likely be sizeof(tmp_buf) *** >> >>> php_wddx_add_chunk(packet, tmp_buf); >>> + efree(tmp_buf); >>> efree(name_esc); >>> } >>> - >>> + >>> switch(Z_TYPE_P(var)) { >>> case IS_STRING: >>> php_wddx_serialize_string(packet, var); >> >> >> >> >> Best regards, >> Marcus >> >> >> > -- > Wbr, > Antony Dovgal Best regards, Marcus -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
