Fixed a possible buffer overflow inside create_named_pipe() for Win32

systems in libmysql.c.

diff --git a/NEWS b/NEWS
index 4557cf66b94f86b2a863286d418051d825092fe4..2ee7e5de68c6d09181d8b757407e758ec6bce8aa 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.3
+- Fixed a possible buffer overflow inside create_named_pipe() for Win32 systems
+  in libmysql.c. (Ilia)
 - Updated PCRE to version 6.6. (Andrei)
 - Added overflow checks to wordwrap() function. (Ilia)
 - Added a check for special characters in the session name. (Ilia)

diff --git a/ext/mysql/libmysql/libmysql.c b/ext/mysql/libmysql/libmysql.c
index 94d6352252a457038bad2b3ea5091ea665b20695..a1f7a4520cc736f5c7fa8f6094d3d76f3bf21d07 100644 (file)
--- a/ext/mysql/libmysql/libmysql.c
+++ b/ext/mysql/libmysql/libmysql.c
@@ -213,6 +213,10 @@ HANDLE create_named_pipe(NET *net, uint connect_timeout, char **arg_host,
   if (!host || !strcmp(host,LOCAL_HOST))
     host=LOCAL_HOST_NAMEDPIPE;
 
+  if (sizeof(szPipeName) <= (strlen(host) + strlen(unix_socket) + sizeof("\\\\\\pipe\\"))) {
+       return INVALID_HANDLE_VALUE;
+  }
+
   sprintf( szPipeName, "\\\\%s\\pipe\\%s", host, unix_socket);
   DBUG_PRINT("info",("Server name: '%s'.  Named Pipe: %s",
                     host, unix_socket));