Fixed bug #27383 (Potential crash inside fopen_wrapper, while parsing

author Ilia Alshanetsky <iliaa@php.net>

Tue, 24 Feb 2004 21:52:40 +0000 (21:52 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Tue, 24 Feb 2004 21:52:40 +0000 (21:52 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Tue, 24 Feb 2004 21:52:40 +0000 (21:52 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Tue, 24 Feb 2004 21:52:40 +0000 (21:52 +0000)
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c

index 8d21d2485e4d881c84f818bba077e2facdced905..083b22c1e934f21417838c42d208e1e2ec84c952 100644 (file)
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -351,17 +351,22 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path,
         }
  
  
-       if (!php_stream_eof(stream))    {
+       if (!php_stream_eof(stream)) {
+               size_t tmp_line_len;
                 /* get response header */
  
-               if (php_stream_gets(stream, tmp_line, sizeof(tmp_line)-1) != NULL)      {
+               if (_php_stream_get_line(stream, tmp_line, sizeof(tmp_line) - 1, &tmp_line_len) != NULL) {
                         zval *http_response;
                         int response_code;
  
                         MAKE_STD_ZVAL(http_response);
                         ZVAL_NULL(http_response);
  
-                       response_code = atoi(tmp_line + 9);
+                       if (tmp_line_len > 9) {
+                               response_code = atoi(tmp_line + 9);
+                       } else {
+                               response_code = 0;
+                       }
                         switch(response_code) {
                                 case 200:
                                 case 302:
@@ -373,11 +378,15 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path,
                                                         tmp_line, response_code);
                                         break;
                                 default:
+                                       /* safety net in the event tmp_line == NULL */
+                                       if (!tmp_line_len) {
+                                               tmp_line[0] = '\0';
+                                       }
                                         php_stream_notify_error(context, PHP_STREAM_NOTIFY_FAILURE,
                                                         tmp_line, response_code);
                         }
                         
-                       Z_STRLEN_P(http_response) = strlen(tmp_line);
+                       Z_STRLEN_P(http_response) = tmp_line_len;
                         Z_STRVAL_P(http_response) = estrndup(tmp_line, Z_STRLEN_P(http_response));
                         if (Z_STRVAL_P(http_response)[Z_STRLEN_P(http_response)-1]=='\n') {
                                 Z_STRVAL_P(http_response)[Z_STRLEN_P(http_response)-1]=0;
author	Ilia Alshanetsky <iliaa@php.net>
	Tue, 24 Feb 2004 21:52:40 +0000 (21:52 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Tue, 24 Feb 2004 21:52:40 +0000 (21:52 +0000)