php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-29 03:03:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

MFH:

Browse Source 
Fixed bug #21760 (Use of uninitialized pointer inside php_read()).
	Fixed 3 possible crashes due to integer overflow or invalid user input
	inside the sockets extension.
This commit is contained in:
Ilia Alshanetsky
2004-02-25 22:12:03 +00:00
parent d4e86c36ed
commit 2af0c3bbdf
2 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
NEWS
+4
View File
@@ -1,6 +1,8 @@
PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Feb 2004, Version 4.3.5
- Fixed possible crashes inside socket extension, due to missing check inside
allocation functions. (Ilia)
- Fixed bug #27384 (unpack() misbehaves with 1 char string). (GeorgeS)
- Fixed bug #27383 (Potential crash inside fopen_wrapper, while parsing
response code). (Ilia)
@@ -16,6 +18,8 @@ PHP 4 NEWS
(Jani, Markus dot Lidel at shadowconnect dot com)
- Fixed bug #26005 (Random "cannot change the session ini settings" errors).
(Jani, jsnajdr at kerio dot com)
- Fixed bug #21760 (Use of uninitialized pointer inside php_read()). (Ilia,
uce at ftc dot gov)
16 Feb 2004, Version 4.3.5RC3
- Fixed zero bytes memory allocation when no extra ini files are found in the
ext/sockets/sockets.c
+15 -1
View File
@@ -294,6 +294,7 @@ static int php_read(int bsd_socket, void *buf, size_t maxlen, int flags)
set_errno(0);
*t = '\0';
while (*t != '\n' && *t != '\r' && n < maxlen) {
if (m > 0) {
t++;
@@ -808,7 +809,10 @@ PHP_FUNCTION(socket_read)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|l", &arg1, &length, &type) == FAILURE)
return;
if(length<0) RETURN_FALSE;
/* overflow check */
if((length + 1) < 2) {
RETURN_FALSE;
}
tmpbuf = emalloc(length + 1);
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, le_socket);
@@ -1372,6 +1376,11 @@ PHP_FUNCTION(socket_recv)
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &php_sock_res, -1, le_socket_name, le_socket);
/* overflow check */
if ((len + 1) < 2) {
RETURN_FALSE;
}
recv_buf = emalloc(len + 1);
memset(recv_buf, 0, len + 1);
@@ -1446,6 +1455,11 @@ PHP_FUNCTION(socket_recvfrom)
if(arg3<0) RETURN_FALSE;
/* overflow check */
if ((arg3 + 2) < 3) {
RETURN_FALSE;
}
recv_buf = emalloc(arg3 + 2);
memset(recv_buf, 0, arg3 + 2);