Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)

author Xinchen Hui <laruence@gmail.com>

Sun, 3 Jul 2016 01:30:33 +0000 (09:30 +0800)

committer Xinchen Hui <laruence@gmail.com>

Sun, 3 Jul 2016 01:30:33 +0000 (09:30 +0800)
author Xinchen Hui <laruence@gmail.com>
Sun, 3 Jul 2016 01:30:33 +0000 (09:30 +0800)
committer Xinchen Hui <laruence@gmail.com>
Sun, 3 Jul 2016 01:30:33 +0000 (09:30 +0800)
diff --git a/NEWS b/NEWS

index c8abefe432de45ffe7d59075b9f3baae06f1b317..3e2be90c5604e39103e7d1bd296d55fc41d33a8e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,9 @@ PHP                                                                        NEWS
    . Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
      (Laruence)
  
+- Session:
+  . Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
+
  - Streams:
    . Fixed bug #72439 (Stream socket with remote address leads to a segmentation
      fault). (Laruence)
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c

index b380cfe86b2887dee11a4ee454221039fd472b3c..64a6c47e00e79c3703bf44412c3984369dfe131f 100644 (file)
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -294,6 +294,11 @@ static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime)
  
         dirname_len = strlen(dirname);
  
+       if (dirname_len >= MAXPATHLEN) {
+               php_error_docref(NULL, E_NOTICE, "ps_files_cleanup_dir: dirname(%s) is too long", dirname);
+               return (0);
+       }
+
         /* Prepare buffer (dirname never changes) */
         memcpy(buf, dirname, dirname_len);
         buf[dirname_len] = PHP_DIR_SEPARATOR;
author	Xinchen Hui <laruence@gmail.com>
	Sun, 3 Jul 2016 01:30:33 +0000 (09:30 +0800)
committer	Xinchen Hui <laruence@gmail.com>
	Sun, 3 Jul 2016 01:30:33 +0000 (09:30 +0800)
NEWS		patch \| blob \| history
ext/session/mod_files.c		patch \| blob \| history