From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 25 Feb 2004 22:10:09 +0000 (+0000)
Subject: Fixed bug #21760 (Use of uninitialized pointer inside php_read()).
X-Git-Tag: RELEASE_0_2_0~157
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=337b23bd93b549858564457eda82dfee69ce7ca1;p=php

Fixed bug #21760 (Use of uninitialized pointer inside php_read()).
Fixed 3 possible crashes due to integer overflow or invalid user input
inside the sockets extension.
---

diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index dde96246b7..d170fa9bcf 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -266,6 +266,7 @@ static int php_read(int bsd_socket, void *buf, size_t maxlen, int flags)
 
 	set_errno(0);
 
+	*t = '\0';
 	while (*t != '\n' && *t != '\r' && n < maxlen) {
 		if (m > 0) {
 			t++;
@@ -828,6 +829,11 @@ PHP_FUNCTION(socket_read)
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|l", &arg1, &length, &type) == FAILURE)
 		return;
 
+	/* overflow check */
+	if ((length + 1) < 2) {
+		RETURN_FALSE;
+	}
+
 	tmpbuf = emalloc(length + 1);
 	
 	ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, le_socket);
@@ -1225,6 +1231,11 @@ PHP_FUNCTION(socket_recv)
 
 	ZEND_FETCH_RESOURCE(php_sock, php_socket *, &php_sock_res, -1, le_socket_name, le_socket);
 
+	/* overflow check */
+	if ((len + 1) < 2) {
+		RETURN_FALSE;
+	}
+
 	recv_buf = emalloc(len + 1);
 	memset(recv_buf, 0, len + 1);
 
@@ -1301,6 +1312,11 @@ PHP_FUNCTION(socket_recvfrom)
 
 	ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, le_socket);
 
+	/* overflow check */
+	if ((arg3 + 2) < 3) {
+		RETURN_FALSE;
+	}
+
 	recv_buf = emalloc(arg3 + 2);
 	memset(recv_buf, 0, arg3 + 2);