]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 96489b4)
Added boundary checks to php_binary deserializer
authorIlia Alshanetsky <iliaa@php.net>
Sun, 31 Dec 2006 22:25:55 +0000 (22:25 +0000)
committerIlia Alshanetsky <iliaa@php.net>
Sun, 31 Dec 2006 22:25:55 +0000 (22:25 +0000)
ext/session/session.c patch | blob | history

diff --git a/ext/session/session.c b/ext/session/session.c
index 3fbb5151a7fdd1e094fa1e6527f2051de6119bf4..db2e24a72a4787e2bd4d3449ffb37bb14545e70d 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -471,6 +471,11 @@ PS_SERIALIZER_DECODE_FUNC(php_binary)
        for (p = val; p < endptr; ) {
                zval **tmp;
                namelen = *p & (~PS_BIN_UNDEF);
+
+               if (namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
+                       return FAILURE;
+               }
+
                has_value = *p & PS_BIN_UNDEF ? 0 : 1;
 
                name = estrndup(p + 1, namelen);
Unnamed repository; edit this file 'description' to name the repository.