From: Ilia Alshanetsky <iliaa@php.net>
Date: Mon, 26 Feb 2007 02:12:36 +0000 (+0000)
Subject: Revert previous commit that caused a buffer overflow (Bug #40634)
X-Git-Tag: php-5.2.2RC1~270
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=58c167168d6c38767768fbf1e862273f34ef6f3c;p=php

Revert previous commit that caused a buffer overflow (Bug #40634)
---

diff --git a/ext/standard/head.c b/ext/standard/head.c
index 7240d777d3..417f8df5f0 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -94,6 +94,9 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
 	if (domain) {
 		len += domain_len;
 	}
+
+	cookie = emalloc(len + 100);
+
 	if (value && value_len == 0) {
 		/* 
 		 * MSIE doesn't delete a cookie when you set it to a null value
@@ -102,10 +105,10 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
 		 */
 		time_t t = time(NULL) - 31536001;
 		dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, t, 0 TSRMLS_CC);
-		spprintf(&cookie, 0, "Set-Cookie: %s=deleted; expires=%s", name, dt);
+		snprintf(cookie, len + 100, "Set-Cookie: %s=deleted; expires=%s", name, dt);
 		efree(dt);
 	} else {
-		spprintf(&cookie, 0, "Set-Cookie: %s=%s", name, value ? encoded_value : "");
+		snprintf(cookie, len + 100, "Set-Cookie: %s=%s", name, value ? encoded_value : "");
 		if (expires > 0) {
 			strlcat(cookie, "; expires=", len + 100);
 			dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, expires, 0 TSRMLS_CC);