mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-01-22 11:44:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fixed bug #21760 (Use of uninitialized pointer inside php_read()).

Browse Source 
Fixed 3 possible crashes due to integer overflow or invalid user input
inside the sockets extension.
This commit is contained in:
Ilia Alshanetsky 2004-02-25 22:10:09 +00:00
parent ccef2cfb67
commit 337b23bd93
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ext/sockets/sockets.c
View File

@ -266,6 +266,7 @@ static int php_read(int bsd_socket, void *buf, size_t maxlen, int flags)
set_errno(0);
*t = '\0';
while (*t != '\n' && *t != '\r' && n < maxlen) {
if (m > 0) {
t++;
@ -828,6 +829,11 @@ PHP_FUNCTION(socket_read)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|l", &arg1, &length, &type) == FAILURE)
return;
/* overflow check */
if ((length + 1) < 2) {
RETURN_FALSE;
}
tmpbuf = emalloc(length + 1);
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, le_socket);
@ -1225,6 +1231,11 @@ PHP_FUNCTION(socket_recv)
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &php_sock_res, -1, le_socket_name, le_socket);
/* overflow check */
if ((len + 1) < 2) {
RETURN_FALSE;
}
recv_buf = emalloc(len + 1);
memset(recv_buf, 0, len + 1);
@ -1301,6 +1312,11 @@ PHP_FUNCTION(socket_recvfrom)
ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, le_socket);
/* overflow check */
if ((arg3 + 2) < 3) {
RETURN_FALSE;
}
recv_buf = emalloc(arg3 + 2);
memset(recv_buf, 0, arg3 + 2);