]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fb3a3b7)
Revert previous commit that caused a buffer overflow (Bug #40634)
authorIlia Alshanetsky <iliaa@php.net>
Mon, 26 Feb 2007 02:12:36 +0000 (02:12 +0000)
committerIlia Alshanetsky <iliaa@php.net>
Mon, 26 Feb 2007 02:12:36 +0000 (02:12 +0000)
ext/standard/head.c patch | blob | history

diff --git a/ext/standard/head.c b/ext/standard/head.c
index 7240d777d3ca3e8ae567341311ccdb223578dc17..417f8df5f05931f5dbf263fd5c83b05f17a6c791 100644 (file)
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -94,6 +94,9 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
        if (domain) {
                len += domain_len;
        }
+
+       cookie = emalloc(len + 100);
+
        if (value && value_len == 0) {
                /* 
                 * MSIE doesn't delete a cookie when you set it to a null value
@@ -102,10 +105,10 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
                 */
                time_t t = time(NULL) - 31536001;
                dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, t, 0 TSRMLS_CC);
-               spprintf(&cookie, 0, "Set-Cookie: %s=deleted; expires=%s", name, dt);
+               snprintf(cookie, len + 100, "Set-Cookie: %s=deleted; expires=%s", name, dt);
                efree(dt);
        } else {
-               spprintf(&cookie, 0, "Set-Cookie: %s=%s", name, value ? encoded_value : "");
+               snprintf(cookie, len + 100, "Set-Cookie: %s=%s", name, value ? encoded_value : "");
                if (expires > 0) {
                        strlcat(cookie, "; expires=", len + 100);
                        dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, expires, 0 TSRMLS_CC);
Unnamed repository; edit this file 'description' to name the repository.