]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5154a48)
check length first, prevent out-of-bounds read
authorAntony Dovgal <tony2001@php.net>
Wed, 3 Feb 2016 11:48:38 +0000 (14:48 +0300)
committerAntony Dovgal <tony2001@php.net>
Wed, 3 Feb 2016 11:49:16 +0000 (14:49 +0300)
ext/session/session.c patch | blob | history

diff --git a/ext/session/session.c b/ext/session/session.c
index d67045ed8977b436614f31139f5a097c2b02473a..10094424d4f340eb8ff18c3f77e1f643bd23fda9 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -2942,7 +2942,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
                                if (name_len == progress->sname_len && memcmp(data->name, PS(session_name), name_len) == 0) {
                                        zval_dtor(&progress->sid);
                                        ZVAL_STRINGL(&progress->sid, (*data->value), value_len);
-                               } else if (memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
+                               } else if (name_len == strlen(PS(rfc1867_name)) && memcmp(data->name, PS(rfc1867_name), name_len + 1) == 0) {
                                        smart_str_free(&progress->key);
                                        smart_str_appends(&progress->key, PS(rfc1867_prefix));
                                        smart_str_appendl(&progress->key, *data->value, value_len);
Unnamed repository; edit this file 'description' to name the repository.