]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 58b1889)
Fix bug #73189 - Memcpy negative size parameter php_resolve_path
authorStanislav Malyshev <stas@php.net>
Thu, 29 Sep 2016 06:30:48 +0000 (23:30 -0700)
committerAnatol Belski <ab@php.net>
Wed, 12 Oct 2016 19:31:37 +0000 (21:31 +0200)
(cherry picked from commit da7e89cde880c66887caacd0a3eae7ecdacf9b2a)

main/fopen_wrappers.c patch | blob | history

diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index bf78db3bdf15f13b2baeb860cbc3fa70bf126a52..b554c380398c08fc9cc1a0df6244cd897d200f53 100644 (file)
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -536,7 +536,7 @@ PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length,
                }
                end = strchr(p, DEFAULT_DIR_SEPARATOR);
                if (end) {
-                       if ((end-ptr) + 1 + filename_length + 1 >= MAXPATHLEN) {
+                       if (filename_length > (MAXPATHLEN - 2) || (end-ptr) > MAXPATHLEN || (end-ptr) + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
                                ptr = end + 1;
                                continue;
                        }
@@ -545,9 +545,9 @@ PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length,
                        memcpy(trypath+(end-ptr)+1, filename, filename_length+1);
                        ptr = end+1;
                } else {
-                       int len = (int)strlen(ptr);
+                       size_t len = strlen(ptr);
 
-                       if (len + 1 + filename_length + 1 >= MAXPATHLEN) {
+                       if (filename_length > (MAXPATHLEN - 2) || len > MAXPATHLEN || len + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
                                break;
                        }
                        memcpy(trypath, ptr, len);
@@ -585,6 +585,7 @@ PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length,
 
                while ((--exec_fname_length < SIZE_MAX) && !IS_SLASH(exec_fname[exec_fname_length]));
                if (exec_fname_length > 0 &&
+                       filename_length < (MAXPATHLEN - 2) &&
                    exec_fname_length + 1 + filename_length + 1 < MAXPATHLEN) {
                        memcpy(trypath, exec_fname, exec_fname_length + 1);
                        memcpy(trypath+exec_fname_length + 1, filename, filename_length+1);
Unnamed repository; edit this file 'description' to name the repository.