From d0cb097c52da5034c4d93098e05f29e38fcf5325 Mon Sep 17 00:00:00 2001
From: Sara Golemon <pollita@php.net>
Date: Mon, 27 Jan 2003 19:51:50 +0000
Subject: [PATCH] Fix potential buffer overflow.

---
 ext/ftp/ftp.c     | 14 +++++++++++---
 ext/ftp/ftp.h     |  2 +-
 ext/ftp/php_ftp.c |  2 +-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
index 96e2a7f299d..0180c4f5986 100644
--- a/ext/ftp/ftp.c
+++ b/ext/ftp/ftp.c
@@ -538,23 +538,31 @@ ftp_rmdir(ftpbuf_t *ftp, const char *dir)
 /* {{{ ftp_chmod
  */
 int
-ftp_chmod(ftpbuf_t *ftp, const int mode, const char *filename)
+ftp_chmod(ftpbuf_t *ftp, const int mode, const char *filename, const int filename_len)
 {
-	char buffer[1024];
+	char *buffer;
 
-	if (ftp == NULL) {
+	if (ftp == NULL || filename_len <= 0) {
+		return 0;
+	}
+
+	if (!(buffer = emalloc(32 + filename_len + 1))) {
 		return 0;
 	}
 
 	sprintf(buffer, "CHMOD %o %s", mode, filename);
 
 	if (!ftp_putcmd(ftp, "SITE", buffer)) {
+		efree(buffer);
 		return 0;
 	}
 
+	efree(buffer);
+
 	if (!ftp_getresp(ftp) || ftp->resp != 200) {
 		return 0;
 	}
+	
 	return 1;
 }
 /* }}} */
diff --git a/ext/ftp/ftp.h b/ext/ftp/ftp.h
index 35bf12bffb4..19233a5d6c6 100644
--- a/ext/ftp/ftp.h
+++ b/ext/ftp/ftp.h
@@ -136,7 +136,7 @@ char*		ftp_mkdir(ftpbuf_t *ftp, const char *dir);
 int		ftp_rmdir(ftpbuf_t *ftp, const char *dir);
 
 /* Set permissions on a file */
-int		ftp_chmod(ftpbuf_t *ftp, const int mode, const char *filename);
+int		ftp_chmod(ftpbuf_t *ftp, const int mode, const char *filename, const int filename_len);
 
 /* returns a NULL-terminated array of filenames in the given path
  * or NULL on error.  the return array must be freed (but don't
diff --git a/ext/ftp/php_ftp.c b/ext/ftp/php_ftp.c
index b8fc548b1e6..d43211ad39b 100644
--- a/ext/ftp/php_ftp.c
+++ b/ext/ftp/php_ftp.c
@@ -396,7 +396,7 @@ PHP_FUNCTION(ftp_chmod)
 
 	ZEND_FETCH_RESOURCE(ftp, ftpbuf_t*, &z_ftp, -1, le_ftpbuf_name, le_ftpbuf);
 
-	if (!ftp_chmod(ftp, mode, filename)) {
+	if (!ftp_chmod(ftp, mode, filename, filename_len)) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", ftp->inbuf);
 		RETURN_FALSE;
 	}