Fix #73203: passing additional_parameters causes mail to fail

We make sure that there's no unsigned underflow, which happened for `y==0`.
This commit is contained in:
Christoph M. Becker 2016-09-30 11:05:53 +02:00
parent 703c247c7d
commit e72165bb86
3 changed files with 29 additions and 2 deletions

3
NEWS
View File

@ -2,6 +2,9 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2016, PHP 5.6.28
- Standard:
. Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
13 Oct 2016, PHP 5.6.27
- Core:

View File

@ -372,7 +372,7 @@ PHPAPI char *php_escape_shell_cmd(char *str)
}
cmd[y] = '\0';
if (y - 1 > cmd_max_len) {
if (y > cmd_max_len + 1) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
efree(cmd);
return NULL;
@ -459,7 +459,7 @@ PHPAPI char *php_escape_shell_arg(char *str)
#endif
cmd[y] = '\0';
if (y - 1 > cmd_max_len) {
if (y > cmd_max_len + 1) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
efree(cmd);
return NULL;

View File

@ -0,0 +1,24 @@
--TEST--
Bug #73203 (passing additional_parameters causes mail to fail)
--DESCRIPTION--
We're not really interested in testing mail() here, but it is currently the
only function besides mb_send_mail() which allows to call php_escape_shell_cmd()
with an empty string. Therefore we don't check the resulting email, but only
verify that the call succeeds.
--INI--
sendmail_path=cat >/dev/null
mail.add_x_header = Off
--SKIPIF--
<?php
if (substr(PHP_OS, 0, 3) === 'WIN') die('skip won\'t run on Windows');
?>
--FILE--
<?php
var_dump(
mail('test@example.com', 'subject', 'message', 'From: lala@example.com', '')
);
?>
===DONE===
--EXPECT--
bool(true)
===DONE===