Fixed possible buffer overflows inside the fnmatch() and glob() functions

diff --git a/NEWS b/NEWS
index 3b10039cf2c9f012bef5283b89504a3e62c29101..f85873d8a957286c404241dddaab979b0084f17e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20??, PHP 5.2.5
+- Fixed possible buffer overflows inside the fnmatch() and glob() functions 
+  reported by Laurent gaffie (Ilia)
+
 - Upgraded PCRE to version 7.3 (Nuno)
 - Added optional parameter $provide_object to debug_backtrace(). (Sebastian)
 

diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index d78bc615f2e3351add4afed6adce2ae60b85a65c..1ad24d77aedf24deaa4c588c0346f6b0514ad8ce 100644 (file)
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -401,6 +401,11 @@ PHP_FUNCTION(glob)
                return;
        }
 
+       if (pattern_len >= MAXPATHLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN);
+               RETURN_FALSE;
+       }
+
        if ((GLOB_AVAILABLE_FLAGS & flags) != flags) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform");
                RETURN_FALSE;

diff --git a/ext/standard/file.c b/ext/standard/file.c
index 04d4dc3434f49f1ee6205fffb5e3096ca9f0ac8c..c54ce62313d7e7ae591664a72589b7dfcadd04a9 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -2518,6 +2518,11 @@ PHP_FUNCTION(fnmatch)
                == FAILURE) 
                return;
        
+       if (filename_len >= MAXPATHLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN);
+               RETURN_FALSE;
+       }
+
        RETURN_BOOL( ! fnmatch( pattern, filename, flags ));
 }
 /* }}} */