Added missing safety checks for 2nd parameter of setlocale() function

diff --git a/NEWS b/NEWS
index 6f6a28effdaf01125774867e2d0cccfd186be7e7..f7eeb4c259b6d8447c8678c2d266da19acedc7c3 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,10 +2,11 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20??, PHP 5.2.5
 - Fixed leaks with mulitple connects on one mysqli object. (Andrey)
-- Fixed endianness detection on MacOS when building universal binary. 
+'- Fixed endianness detection on MacOS when building universal binary. 
   (Uwe Schindler, Christian Speich, Tony)
-- Fixed possible buffer overflows inside the fnmatch() and glob() functions 
-  reported by Laurent gaffie (Ilia)
+- Fixed possible triggering of buffer overflows inside glibc
+  imlplementations of the fnmatch(), setlocale() and glob() functions reported 
+  by Laurent gaffie (Ilia)
 
 - Upgraded PCRE to version 7.3 (Nuno)
 - Added optional parameter $provide_object to debug_backtrace(). (Sebastian)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index e7b36a27acd7b18a07b22ac4235b95745eccba49..71e70af42a6253a03bf9e827e9d4159639d99362 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4000,8 +4000,12 @@ PHP_FUNCTION(setlocale)
                        loc = NULL;
                } else {
                        loc = Z_STRVAL_PP(plocale);
+                       if (Z_STRLEN_PP(plocale) >= 255) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Specified locale name is too long");
+                               break;
+                       }
                }
-               
+
                retval = setlocale (cat, loc);
                zend_update_current_locale();
                if (retval) {