]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8757f30)
Fix out of bounds write in phpdbg
authorNikita Popov <nikita.ppv@gmail.com>
Tue, 25 Jun 2019 11:08:28 +0000 (13:08 +0200)
committerNikita Popov <nikita.ppv@gmail.com>
Tue, 25 Jun 2019 12:28:58 +0000 (14:28 +0200)
It seems that this code has a peculiar interpretation of "len",
where it actually points to the last character, not one past it.
So we need +1 here for that extra char and another +1 for the
terminating null byte.

sapi/phpdbg/phpdbg_prompt.c patch | blob | history

diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
index 248391b1883902a75e081377f29ff0ef82e979ce..f2f20ae75b099ca5474c9aa7be0e62b650d273ba 100644 (file)
--- a/sapi/phpdbg/phpdbg_prompt.c
+++ b/sapi/phpdbg/phpdbg_prompt.c
@@ -838,7 +838,7 @@ PHPDBG_COMMAND(run) /* {{{ */
                        while (*p == ' ') p++;
                        while (*p) {
                                char sep = ' ';
-                               char *buf = emalloc(end - p + 1), *q = buf;
+                               char *buf = emalloc(end - p + 2), *q = buf;
 
                                if (*p == '<') {
                                        /* use as STDIN */
Unnamed repository; edit this file 'description' to name the repository.