MFH fix for #34306 (wddx_serialize_value() crashes with long array keys)

diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 0b59a0afbf3303486589aca27524e76548ab6c31..a3759975563103ec62c574e86315b8161de95b10 100644 (file)
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -432,7 +432,7 @@ static void php_wddx_serialize_number(wddx_packet *packet, zval *var)
        tmp = *var;
        zval_copy_ctor(&tmp);
        convert_to_string(&tmp);
-       sprintf(tmp_buf, WDDX_NUMBER, Z_STRVAL(tmp));
+       snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp));
        zval_dtor(&tmp);
 
        php_wddx_add_chunk(packet, tmp_buf);    
@@ -624,17 +624,19 @@ static void php_wddx_serialize_array(wddx_packet *packet, zval *arr)
  */
 void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name_len TSRMLS_DC)
 {
-       char tmp_buf[WDDX_BUF_LEN];
+       char *tmp_buf;
        char *name_esc;
        int name_esc_len;
 
        if (name) {
                name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
-               sprintf(tmp_buf, WDDX_VAR_S, name_esc);
+               tmp_buf = emalloc(name_esc_len + 1);
+               snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc);
                php_wddx_add_chunk(packet, tmp_buf);
+               efree(tmp_buf);
                efree(name_esc);
        }
-       
+
        switch(Z_TYPE_P(var)) {
                case IS_STRING:
                        php_wddx_serialize_string(packet, var);