]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e88897e)
MFB: Added boundary checks to php_binary deserializer
authorIlia Alshanetsky <iliaa@php.net>
Sun, 31 Dec 2006 22:26:06 +0000 (22:26 +0000)
committerIlia Alshanetsky <iliaa@php.net>
Sun, 31 Dec 2006 22:26:06 +0000 (22:26 +0000)
ext/session/session.c patch | blob | history

diff --git a/ext/session/session.c b/ext/session/session.c
index 9363e70bc861fa86422fa01e8a29fd5a908b6bb4..e86dcd5dc49facbc8ed12b89e891885ffbc7a52e 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -384,6 +384,11 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
        for (p = val; p < endptr; ) {
                zval **tmp;
                namelen = *p & (~PS_BIN_UNDEF);
+
+               if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
+                       return FAILURE;
+               }
+
                has_value = *p & PS_BIN_UNDEF ? 0 : 1;
 
                name = estrndup(p + 1, namelen);
Unnamed repository; edit this file 'description' to name the repository.