ensure the string for conversion is \0 terminated and integrade

additional path length check
2024-11-23 18:04:36 +08:00 · 2017-01-21 02:11:24 +01:00 · 2017-01-21 02:11:24 +01:00 · 6b6122a957
commit 6b6122a957
parent 95406c878a
1 changed files with 19 additions and 4 deletions
--- a/Zend/zend_virtual_cwd.c
+++ b/Zend/zend_virtual_cwd.c
@ -916,6 +916,7 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
 			char *printname = NULL, *substitutename = NULL;
 			size_t substitutename_len;
 			int substitutename_off = 0;
+			wchar_t tmpsubstname[MAXPATHLEN];

 			if(++(*ll) > LINK_MAX) {
 				free_alloca(tmp, use_heap);
@ -959,8 +960,15 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
 				}

 				substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
-				substitutename = php_win32_cp_conv_w_to_any(reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR),
-										substitutename_len, &substitutename_len);
+				if (substitutename_len > MAXPATHLEN) {
+					free_alloca(pbuffer, use_heap_large);
+					free_alloca(tmp, use_heap);
+					FREE_PATHW()
+					return -1;
+				}
+				memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
+				tmpsubstname[substitutename_len] = L'\0';
+				substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
 				if (!substitutename) {
 					free_alloca(pbuffer, use_heap_large);
 					free_alloca(tmp, use_heap);
@ -982,8 +990,15 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i


 				substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
-				substitutename = php_win32_cp_conv_w_to_any(reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR),
-										substitutename_len, &substitutename_len);
+				if (substitutename_len > MAXPATHLEN) {
+					free_alloca(pbuffer, use_heap_large);
+					free_alloca(tmp, use_heap);
+					FREE_PATHW()
+					return -1;
+				}
+				memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
+				tmpsubstname[substitutename_len] = L'\0';
+				substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
 				if (!substitutename) {
 					free_alloca(pbuffer, use_heap_large);
 					free_alloca(tmp, use_heap);