Fixed bug #76143 (Memory corruption: arbitrary NUL overwrite)

diff --git a/NEWS b/NEWS
index 22b6d86c3ecce8295014f1a41de218b05d435e82..dce15ca4dd7ed77081e0d38acb5b4b06dd6c3260 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,9 @@ PHP                                                                        NEWS
   . Fixed bug #76113 (mbstring does not build with Oniguruma 6.8.1).
     (chrullrich, cmb)
 
+- phpdbg:
+  . Fixed bug #76143 (Memory corruption: arbitrary NUL overwrite). (Laruence)
+
 - SPL:
   . Fixed bug #76131 (mismatch arginfo for splarray constructor). 
     (carusogabriel)

diff --git a/sapi/phpdbg/phpdbg_io.c b/sapi/phpdbg/phpdbg_io.c
index ee5a656b606698e1497a91ece6abfc42e7c60461..1bf7227b1fd703a43201f27ebe5cf9a100c8fd9e 100644 (file)
--- a/sapi/phpdbg/phpdbg_io.c
+++ b/sapi/phpdbg/phpdbg_io.c
@@ -290,7 +290,7 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short
                        }
                }
 
-               snprintf(port_buf, 7, "%u", port);
+               snprintf(port_buf, sizeof(port_buf), "%u", port);
                if (!any_addr) {
                        rc = getaddrinfo(addr, port_buf, &hints, &res);
                } else {
@@ -301,20 +301,18 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short
 #ifndef PHP_WIN32
                        if (rc == EAI_SYSTEM) {
                                char buf[128];
-                               int wrote;
 
-                               wrote = snprintf(buf, 128, "Could not translate address '%s'", addr);
-                               buf[wrote] = '\0';
+                               snprintf(buf, sizeof(buf), "Could not translate address '%s'", addr);
+
                                zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf));
 
                                return sock;
                        } else {
 #endif
                                char buf[256];
-                               int wrote;
 
-                               wrote = snprintf(buf, 256, "Host '%s' not found. %s", addr, estrdup(gai_strerror(rc)));
-                               buf[wrote] = '\0';
+                               snprintf(buf, sizeof(buf), "Host '%s' not found. %s", addr, estrdup(gai_strerror(rc)));
+
                                zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf));
 
                                return sock;
@@ -324,13 +322,10 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short
                        return sock;
                }
 
-               if((sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1) {
-                       char buf[128];
-                       int wrote;
+               if ((sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1) {
+                       const char *msg = "Unable to create socket";
 
-                       wrote = sprintf(buf, "Unable to create socket");
-                       buf[wrote] = '\0';
-                       zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf));
+                       zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, msg, strlen(msg));
 
                        return sock;
                }