Merge branch 'PHP-7.3'

* PHP-7.3: Validate length on socket_write
2024-11-24 02:15:04 +08:00 · 2018-11-13 13:00:31 +01:00 · 2018-11-13 13:00:31 +01:00 · 177d45b7e7
commit 177d45b7e7
parent 12cbe930cd 8a11c9ee76
5 changed files with 53 additions and 0 deletions
--- a/3
+++ b/3
@ -30,6 +30,9 @@ PHP                                                                        NEWS
  . Implemented sqlite_stmt_readonly in PDO_SQLite. (BohwaZ)
  . Lifted requirements to SQLite 3.5.0. (cmb)

+- Sockets:
+  . Fixed bug #67619 (Validate length on socket_write). (thiagooak)
+
 - SQLite3:
  . Unbundled libsqlite. (cmb)
  . Lifted requirements to SQLite 3.5.0. (cmb)
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@ -1208,6 +1208,11 @@ PHP_FUNCTION(socket_write)
 		return;
 	}

+	if (length < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
@ -1750,6 +1755,11 @@ PHP_FUNCTION(socket_send)
 		return;
 	}

+	if (len < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
@ -1912,6 +1922,11 @@ PHP_FUNCTION(socket_sendto)
 		return;
 	}

+	if (len < 0) {
+		php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+		RETURN_FALSE;
+	}
+
 	if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
 		RETURN_FALSE;
 	}
--- a/ext/sockets/tests/socket_send_params.phpt
+++ b/ext/sockets/tests/socket_send_params.phpt
@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_send - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_send($s_c, "foo", -1, MSG_OOB);
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_send(): Length cannot be negative in %s on line %i
--- a/ext/sockets/tests/socket_sendto_params.phpt
+++ b/ext/sockets/tests/socket_sendto_params.phpt
@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_sendto - test with incorrect parameters
+--SKIPIF--
+<?php
+    if (!extension_loaded('sockets')) {
+        die('skip sockets extension not available.');
+    }
+?>
+--FILE--
+<?php
+    $rand = rand(1,999);
+    $s_c = socket_create_listen(31330+$rand);
+    $s_w = socket_sendto($s_c, "foo", -1, MSG_OOB, '127.0.0.1');
+    socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_sendto(): Length cannot be negative in %s on line %i
--- a/ext/sockets/tests/socket_write_params.phpt
+++ b/ext/sockets/tests/socket_write_params.phpt
@ -17,6 +17,7 @@ fa@php.net
    $s_c = socket_create_listen(31330+$rand);
    $s_w = socket_write($s_c);
    $s_w = socket_write($s_c, "foo");
+    $s_w = socket_write($s_c, "foo", -1);
    socket_close($s_c);
 ?>
 --EXPECTF--