Safety checks

diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index aca65f1d1610ebe9f662cfb4f99542c59ed05ae4..28fc27fc03380f14cf1318d0ed340b46fcac9fe6 100644 (file)
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -88,30 +88,29 @@ static int le_zip_entry;
 
 /* {{{ php_zip_extract_file */
 /* TODO: Simplify it */
-static int php_zip_extract_file(struct zip * za, char *dest, char *file TSRMLS_DC)
+static int php_zip_extract_file(struct zip * za, char *dest, char *file, int file_len TSRMLS_DC)
 {
        php_stream_statbuf ssb;
        struct zip_file *zf;
        struct zip_stat sb;
        char b[8192];
 
-       int n, len, ret, file_len;
+       int n, len, ret;
 
        php_stream *stream;
 
        char *fullpath;
        char *file_dirname_fullpath;
-       char file_dirname[MAXPATHLEN + 1];
+       char file_dirname[MAXPATHLEN];
        size_t dir_len;
 
        char *file_basename;
        size_t file_basename_len;
 
-       if (zip_stat(za, file, 0, &sb)) {
+       if (file_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb)) {
                return 0;
        }
 
-       file_len = strlen(file);
        memcpy(file_dirname, file, file_len);
 
        dir_len = php_dirname(file_dirname, file_len);
@@ -122,7 +121,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file TSRMLS_D
                len = spprintf(&file_dirname_fullpath, 0, "%s", dest);
        }
 
-       php_basename(file, file_len, NULL, 0, &file_basename, (int *)&file_basename_len TSRMLS_CC);
+       php_basename(file, file_len, NULL, 0, &file_basename, &file_basename_len TSRMLS_CC);
 
        if (SAFEMODE_CHECKFILE(file_dirname_fullpath)) {
                efree(file_dirname_fullpath);
@@ -882,7 +881,7 @@ static ZIPARCHIVE_METHOD(open)
        int filename_len;
        int err = 0;
        long flags = 0;
-       char resolved_path[MAXPATHLEN + 1];
+       char resolved_path[MAXPATHLEN];
 
        zval *this = getThis();
        ze_zip_object *ze_obj = NULL;
@@ -995,7 +994,7 @@ static ZIPARCHIVE_METHOD(addFile)
        struct zip_source *zs;
        long offset_start = 0, offset_len = 0;
        int cur_idx;
-       char resolved_path[MAXPATHLEN + 1];
+       char resolved_path[MAXPATHLEN];
 
        if (!this) {
                RETURN_FALSE;
@@ -1705,7 +1704,7 @@ static ZIPARCHIVE_METHOD(extractTo)
                switch (Z_TYPE_P(zval_files)) {
                        case IS_STRING:
                                file = Z_STRVAL_P(zval_files);
-                               if (!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) {
+                               if (!php_zip_extract_file(intern, pathto, file, Z_STRLEN_P(zval_files) TSRMLS_CC)) {
                                        RETURN_FALSE;
                                }
                                break;
@@ -1721,7 +1720,7 @@ static ZIPARCHIVE_METHOD(extractTo)
                                                                break;
                                                        case IS_STRING:
                                                                file = Z_STRVAL_PP(zval_file);
-                                                               if (!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) {
+                                                               if (!php_zip_extract_file(intern, pathto, file, Z_STRLEN_P(zval_files) TSRMLS_CC)) {
                                                                        RETURN_FALSE;
                                                                }
                                                                break;
@@ -1745,7 +1744,7 @@ static ZIPARCHIVE_METHOD(extractTo)
 
         for (i = 0; i < filecount; i++) {
             file = (char*)zip_get_name(intern, i, ZIP_FL_UNCHANGED);
-            if (!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) {
+            if (!php_zip_extract_file(intern, pathto, file, strlen(file) TSRMLS_CC)) {
                 RETURN_FALSE;
             }
         }
@@ -1807,7 +1806,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */
                RETURN_FALSE;
        }
 
-       buffer = safe_emalloc(len + 1, 1, 1);
+       buffer = safe_emalloc(len, 1, 2);
        n = zip_fread(zf, buffer, len);
        if (n < 1) {
                RETURN_EMPTY_STRING();

diff --git a/ext/zip/zip_stream.c b/ext/zip/zip_stream.c
index 83e9ceab3e6cd69cb6e584af1e62806178559c4f..c36df3e4c068ad9ca3c3ad26a08985f87c351dc7 100644 (file)
--- a/ext/zip/zip_stream.c
+++ b/ext/zip/zip_stream.c
@@ -153,7 +153,7 @@ php_stream *php_stream_zip_opener(php_stream_wrapper *wrapper,
 
        char *file_basename;
        size_t file_basename_len;
-       char file_dirname[MAXPATHLEN+1];
+       char file_dirname[MAXPATHLEN];
 
        struct zip *za;
        struct zip_file *zf = NULL;
@@ -179,15 +179,15 @@ php_stream *php_stream_zip_opener(php_stream_wrapper *wrapper,
                return NULL;
        }
        path_len = strlen(path);
+       if (path_len >= MAXPATHLEN || mode[0] != 'r') {
+               return NULL;
+       }
 
        memcpy(file_dirname, path, path_len - fragment_len);
        file_dirname[path_len - fragment_len] = '\0';
 
        php_basename(path, path_len - fragment_len, NULL, 0, &file_basename, &file_basename_len TSRMLS_CC);
        fragment++;
-       if (mode[0] != 'r') {
-               return NULL;
-       }
 
        za = zip_open(file_dirname, ZIP_CREATE, &err);
        if (za) {