mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 18:04:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix #79812: Potential integer overflow in pcntl_exec()

Browse Source 
We use the proper type, and make sure that no overflow can occur by
using `safe_emalloc()` (we can assume that neither string length is
`SIZE_MAX`).

Closes GH-6845.
This commit is contained in:
Christoph M. Becker 2021-04-09 13:09:21 +02:00
parent a04fac84e7
commit 0a36d417e8
No known key found for this signature in database
GPG Key ID: D66C9593118BCCB6
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@ -21,6 +21,9 @@ PHP NEWS
- LibXML:
. Fixed bug #73533 (Invalid memory access in php_libxml_xmlCheckUTF8). (cmb)
- Pcntl:
. Fixed bug #79812 (Potential integer overflow in pcntl_exec()). (cmb)
- PDO_ODBC:
. Fixed bug #80783 (PDO ODBC truncates BLOB records at every 256th byte).
(cmb)

5
ext/pcntl/pcntl.c
View File

@ -955,7 +955,7 @@ PHP_FUNCTION(pcntl_exec)
int envc = 0, envi = 0;
char **argv = NULL, **envp = NULL;
char **current_arg, **pair;
int pair_length;
size_t pair_length;
zend_string *key;
char *path;
size_t path_len;
@ -1015,8 +1015,9 @@ PHP_FUNCTION(pcntl_exec)
}
/* Length of element + equal sign + length of key + null */
ZEND_ASSERT(Z_STRLEN_P(element) < SIZE_MAX && ZSTR_LEN(key) < SIZE_MAX);
*pair = safe_emalloc(Z_STRLEN_P(element) + 1, sizeof(char), ZSTR_LEN(key) + 1);
pair_length = Z_STRLEN_P(element) + ZSTR_LEN(key) + 2;
*pair = emalloc(pair_length);
strlcpy(*pair, ZSTR_VAL(key), ZSTR_LEN(key) + 1);
strlcat(*pair, "=", pair_length);
strlcat(*pair, Z_STRVAL_P(element), pair_length);