MFB: Fixed possible buffer overflows inside the fnmatch() and glob()

functions

diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index f282a80464da6f0e75dd0608e4e6ece8b864ded8..275d102bcf0f291775cae14c96f91e1f6913674b 100644 (file)
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -427,6 +427,11 @@ PHP_FUNCTION(glob)
                return;
        }
 
+       if (pattern_len >= MAXPATHLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN);
+               RETURN_FALSE;
+       }
+
        if ((GLOB_AVAILABLE_FLAGS & flags) != flags) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform");
                RETURN_FALSE;

diff --git a/ext/standard/file.c b/ext/standard/file.c
index 39a71f10ac3225ce1441b59fad1550082572f70e..3ea5ee8f8db9d7ff31c97c20a9194a65b1928122 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -2894,6 +2894,11 @@ PHP_FUNCTION(fnmatch)
                zend_unicode_to_string_ex(UG(utf8_conv), &filename_utf8, &filename_utf8_len, filename.u, filename_len, &status);
                pattern.s = pattern_utf8;
                filename.s = filename_utf8;
+               filename_len = filename_utf8_len;
+       }
+       if (filename_len >= MAXPATHLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN);
+               RETURN_FALSE;
        }
 
        RETVAL_BOOL( ! fnmatch( pattern.s, filename.s, flags ));