From: Antony Dovgal <tony2001@php.net>
Date: Mon, 16 Apr 2007 12:49:07 +0000 (+0000)
Subject: MFB use strlcat()
X-Git-Tag: RELEASE_1_2_0~310
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=51058019f6b0d3142bd7d33620af86938e923b35;p=php

MFB use strlcat()
fix buffer overrun & bug #41101
---

diff --git a/ext/standard/head.c b/ext/standard/head.c
index 7099df673f..63a42ccbb7 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -94,6 +94,9 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
 	if (domain) {
 		len += domain_len;
 	}
+
+	cookie = emalloc(len + 100);
+
 	if (value && value_len == 0) {
 		/* 
 		 * MSIE doesn't delete a cookie when you set it to a null value
@@ -102,14 +105,14 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
 		 */
 		time_t t = time(NULL) - 31536001;
 		dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, t, 0 TSRMLS_CC);
-		spprintf(&cookie, 0, "Set-Cookie: %s=deleted; expires=%s", name, dt);
+		snprintf(cookie, len + 100, "Set-Cookie: %s=deleted; expires=%s", name, dt);
 		efree(dt);
 	} else {
-		spprintf(&cookie, 0, "Set-Cookie: %s=%s", name, value ? encoded_value : "");
+		snprintf(cookie, len + 100, "Set-Cookie: %s=%s", name, value ? encoded_value : "");
 		if (expires > 0) {
-			strcat(cookie, "; expires=");
+			strlcat(cookie, "; expires=", len + 100);
 			dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, expires, 0 TSRMLS_CC);
-			strcat(cookie, dt);
+			strlcat(cookie, dt, len + 100);
 			efree(dt);
 		}
 	}
@@ -119,18 +122,18 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
 	}
 
 	if (path && path_len > 0) {
-		strcat(cookie, "; path=");
-		strcat(cookie, path);
+		strlcat(cookie, "; path=", len + 100);
+		strlcat(cookie, path, len + 100);
 	}
 	if (domain && domain_len > 0) {
-		strcat(cookie, "; domain=");
-		strcat(cookie, domain);
+		strlcat(cookie, "; domain=", len + 100);
+		strlcat(cookie, domain, len + 100);
 	}
 	if (secure) {
-		strcat(cookie, "; secure");
+		strlcat(cookie, "; secure", len + 100);
 	}
 	if (httponly) {
-		strcat(cookie, "; httponly");
+		strlcat(cookie, "; httponly", len + 100);
 	}
 
 	ctr.line = cookie;