make length check more robust

author Anatol Belski <ab@php.net>

Tue, 24 Jan 2017 12:24:11 +0000 (13:24 +0100)

committer Anatol Belski <ab@php.net>

Tue, 24 Jan 2017 12:24:11 +0000 (13:24 +0100)
author Anatol Belski <ab@php.net>
Tue, 24 Jan 2017 12:24:11 +0000 (13:24 +0100)
committer Anatol Belski <ab@php.net>
Tue, 24 Jan 2017 12:24:11 +0000 (13:24 +0100)
diff --git a/Zend/zend_virtual_cwd.c b/Zend/zend_virtual_cwd.c

index 5a0b14901ad4a0f3502ce8f0d2e9644e2d87ceed..0f388dc638145da2306ae09f3220277a47d59a91 100644 (file)
--- a/Zend/zend_virtual_cwd.c
+++ b/Zend/zend_virtual_cwd.c
@@ -965,7 +965,7 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
  #endif
  
                                 substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
-                               if (substitutename_len > MAXPATHLEN) {
+                               if (substitutename_len >= MAXPATHLEN) {
                                         free_alloca(pbuffer, use_heap_large);
                                         free_alloca(tmp, use_heap);
                                         FREE_PATHW()
@@ -974,9 +974,10 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
                                 memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
                                 tmpsubstname[substitutename_len] = L'\0';
                                 substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
-                               if (!substitutename) {
+                               if (!substitutename || substitutename_len >= MAXPATHLEN) {
                                         free_alloca(pbuffer, use_heap_large);
                                         free_alloca(tmp, use_heap);
+                                       free(substitutename);
  #if VIRTUAL_CWD_DEBUG
                                         free(printname);
  #endif
@@ -999,7 +1000,7 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
  
  
                                 substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
-                               if (substitutename_len > MAXPATHLEN) {
+                               if (substitutename_len >= MAXPATHLEN) {
                                         free_alloca(pbuffer, use_heap_large);
                                         free_alloca(tmp, use_heap);
                                         FREE_PATHW()
@@ -1008,9 +1009,10 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
                                 memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
                                 tmpsubstname[substitutename_len] = L'\0';
                                 substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
-                               if (!substitutename) {
+                               if (!substitutename || substitutename_len >= MAXPATHLEN) {
                                         free_alloca(pbuffer, use_heap_large);
                                         free_alloca(tmp, use_heap);
+                                       free(substitutename);
  #if VIRTUAL_CWD_DEBUG
                                         free(printname);
  #endif
author	Anatol Belski <ab@php.net>
	Tue, 24 Jan 2017 12:24:11 +0000 (13:24 +0100)
committer	Anatol Belski <ab@php.net>
	Tue, 24 Jan 2017 12:24:11 +0000 (13:24 +0100)