MFH: fixed possible buffer overflow in 64bit systems

author Moriyoshi Koizumi <moriyoshi@php.net>

Mon, 10 Feb 2003 20:13:36 +0000 (20:13 +0000)

committer Moriyoshi Koizumi <moriyoshi@php.net>

Mon, 10 Feb 2003 20:13:36 +0000 (20:13 +0000)
author Moriyoshi Koizumi <moriyoshi@php.net>
Mon, 10 Feb 2003 20:13:36 +0000 (20:13 +0000)
committer Moriyoshi Koizumi <moriyoshi@php.net>
Mon, 10 Feb 2003 20:13:36 +0000 (20:13 +0000)
diff --git a/main/SAPI.c b/main/SAPI.c

index 8e155733279a86c49a07f5ab3fe5d7b262100dd9..dd10339499f970c1ee9a9c42101503bf0a02c79e 100644 (file)
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -619,14 +619,18 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
                                                                                                 0, &result_len, -1 TSRMLS_CC);
                                                 if(result_len==ptr_len) {
                                                         char *lower_temp = estrdup(ptr);        
-                                                       char conv_temp[32];
+                                                       char conv_temp[64];
                                                         int conv_len;
  
                                                         php_strtolower(lower_temp,strlen(lower_temp));
                                                         /* If there is no realm string at all, append one */
                                                         if(!strstr(lower_temp,"realm")) {
                                                                 efree(result);
-                                                               conv_len = sprintf(conv_temp," realm=\"%ld\"",myuid);           
+                                                               conv_len = snprintf(conv_temp, sizeof(conv_temp), " realm=\"%ld\"",myuid);
+                                                               /* some broken snprintf() impls may return a negative value on failure */
+                                                               if (conv_len < 0) {
+                                                                       conv_len = 0;
+                                                               }
                                                                 result = emalloc(ptr_len+conv_len+1);
                                                                 result_len = ptr_len+conv_len;
                                                                 memcpy(result, ptr, ptr_len);
author	Moriyoshi Koizumi <moriyoshi@php.net>
	Mon, 10 Feb 2003 20:13:36 +0000 (20:13 +0000)
committer	Moriyoshi Koizumi <moriyoshi@php.net>
	Mon, 10 Feb 2003 20:13:36 +0000 (20:13 +0000)