MFH: Fixed bug #27383 (Potential crash inside fopen_wrapper, while parsing

author Ilia Alshanetsky <iliaa@php.net>

Tue, 24 Feb 2004 21:53:57 +0000 (21:53 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Tue, 24 Feb 2004 21:53:57 +0000 (21:53 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Tue, 24 Feb 2004 21:53:57 +0000 (21:53 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Tue, 24 Feb 2004 21:53:57 +0000 (21:53 +0000)
diff --git a/NEWS b/NEWS

index b8a0edf829b8f5c0b391d398575e1a92122bc154..c41daa3a0e61756e0368c3b9122eaa6ffd2dcea1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
  PHP 4                                                                      NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? Feb 2004, Version 4.3.5
+- Fixed bug #27383 (Potential crash inside fopen_wrapper, while parsing
+  response code). (Ilia)
  - Fixed bug #27341 (HEAD requests fail to return data). (Ilia)
  - Fixed bug #27337 (missing sapi_shutdown() in sapi/isapi causes memory leak). 
    (Jani, msisolak at yahoo dot com)
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c

index d7a33d031f27d410be164af0aecdb2d2ee7d8924..c5961bc1bc5fe51acd56d1c4a5216e1a771758c3 100644 (file)
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -339,17 +339,22 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path,
         }
  
  
-       if (!php_stream_eof(stream))    {
+       if (!php_stream_eof(stream)) {
+               size_t tmp_line_len;
                 /* get response header */
  
-               if (php_stream_gets(stream, tmp_line, sizeof(tmp_line)-1) != NULL)      {
+               if (_php_stream_get_line(stream, tmp_line, sizeof(tmp_line) - 1, &tmp_line_len) != NULL) {
                         zval *http_response;
                         int response_code;
  
                         MAKE_STD_ZVAL(http_response);
                         ZVAL_NULL(http_response);
  
-                       response_code = atoi(tmp_line + 9);
+                       if (tmp_line_len > 9) {
+                               response_code = atoi(tmp_line + 9);
+                       } else {
+                               response_code = 0;
+                       }
                         switch(response_code) {
                                 case 200:
                                 case 302:
@@ -361,11 +366,15 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path,
                                                         tmp_line, response_code);
                                         break;
                                 default:
+                                       /* safety net in the event tmp_line == NULL */
+                                       if (!tmp_line_len) {
+                                               tmp_line[0] = '\0';
+                                       }
                                         php_stream_notify_error(context, PHP_STREAM_NOTIFY_FAILURE,
                                                         tmp_line, response_code);
                         }
                         
-                       Z_STRLEN_P(http_response) = strlen(tmp_line);
+                       Z_STRLEN_P(http_response) = tmp_line_len;
                         Z_STRVAL_P(http_response) = estrndup(tmp_line, Z_STRLEN_P(http_response));
                         if (Z_STRVAL_P(http_response)[Z_STRLEN_P(http_response)-1]=='\n') {
                                 Z_STRVAL_P(http_response)[Z_STRLEN_P(http_response)-1]=0;
author	Ilia Alshanetsky <iliaa@php.net>
	Tue, 24 Feb 2004 21:53:57 +0000 (21:53 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Tue, 24 Feb 2004 21:53:57 +0000 (21:53 +0000)
NEWS		patch \| blob \| history
ext/standard/http_fopen_wrapper.c		patch \| blob \| history