Patch for Heap Buffer Overflow in EscapeShell

author libnex <emmanuel.law@gmail.com>

Sun, 3 Jan 2016 23:27:27 +0000 (12:27 +1300)

committer Anatol Belski <ab@php.net>

Wed, 6 Jan 2016 06:49:21 +0000 (07:49 +0100)
author libnex <emmanuel.law@gmail.com>
Sun, 3 Jan 2016 23:27:27 +0000 (12:27 +1300)
committer Anatol Belski <ab@php.net>
Wed, 6 Jan 2016 06:49:21 +0000 (07:49 +0100)
diff --git a/ext/standard/exec.c b/ext/standard/exec.c

index c724b795357aa67a61c239bd58244778e62d2196..c4afce333735961fd33360bec7e0812185ec3465 100644 (file)
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -253,7 +253,7 @@ PHPAPI zend_string *php_escape_shell_cmd(char *str)
  #endif
  
  
-       cmd = zend_string_alloc(2 * l, 0);
+       cmd = zend_string_safe_alloc(2, l, 0, 0);
  
         for (x = 0, y = 0; x < l; x++) {
                 int mb_len = php_mblen(str + x, (l - x));
@@ -345,7 +345,7 @@ PHPAPI zend_string *php_escape_shell_arg(char *str)
         size_t estimate = (4 * l) + 3;
  
  
-       cmd = zend_string_alloc(4 * l + 2, 0); /* worst case */
+       cmd = zend_string_safe_alloc(4, l, 2, 0); /* worst case */
  
  #ifdef PHP_WIN32
         ZSTR_VAL(cmd)[y++] = '"';
author	libnex <emmanuel.law@gmail.com>
	Sun, 3 Jan 2016 23:27:27 +0000 (12:27 +1300)
committer	Anatol Belski <ab@php.net>
	Wed, 6 Jan 2016 06:49:21 +0000 (07:49 +0100)