]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d81b4d3)
MFH: Added boundary checks to php_binary deserializer
authorIlia Alshanetsky <iliaa@php.net>
Sun, 31 Dec 2006 22:26:25 +0000 (22:26 +0000)
committerIlia Alshanetsky <iliaa@php.net>
Sun, 31 Dec 2006 22:26:25 +0000 (22:26 +0000)
ext/session/session.c patch | blob | history

diff --git a/ext/session/session.c b/ext/session/session.c
index 1d60e085008b902dc4d0996e2cec1f038b0bba6e..3d97c9e041f87cd25f352851e07408f318fe0e81 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -424,6 +424,11 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
        for (p = val; p < endptr; ) {
                zval **tmp;
                namelen = *p & (~PS_BIN_UNDEF);
+
+               if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
+                       return FAILURE;
+               }
+
                has_value = *p & PS_BIN_UNDEF ? 0 : 1;
 
                name = estrndup(p + 1, namelen);
Unnamed repository; edit this file 'description' to name the repository.