From: Thies C. Arntzen <thies@php.net>
Date: Sun, 6 Feb 2000 14:36:27 +0000 (+0000)
Subject: fix for #3413
X-Git-Tag: BEFORE_SAPIFICATION_FEB_10_2000~62
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=59e466d54c4a3b452af958c10d447aa9827d09d7;p=php

fix for #3413
@- Fixed possible buffer-overflow in setcookie(). (Thies)
---

diff --git a/ext/standard/head.c b/ext/standard/head.c
index 8e33490cda..493703e772 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -242,10 +242,10 @@ CookieList *php_pop_cookie_list(void)
 /* php_set_cookie(name,value,expires,path,domain,secure) */
 PHP_FUNCTION(setcookie)
 {
-	char *cookie;
+	char *cookie, *encoded_value = NULL;
 	int len=sizeof("Set-Cookie: ");
 	time_t t;
-	char *r, *dt;
+	char *dt;
 	char *name = NULL, *value = NULL, *path = NULL, *domain = NULL;
 	time_t expires = 0;
 	int secure = 0;
@@ -293,7 +293,8 @@ PHP_FUNCTION(setcookie)
 		len += strlen(name);
 	}
 	if (value) {
-		len += strlen(value);
+		encoded_value = php_url_encode(value, strlen (value));
+		len += strlen(encoded_value);
 	}
 	if (path) {
 		len += strlen(path);
@@ -316,9 +317,7 @@ PHP_FUNCTION(setcookie)
 		efree(dt);
 	} else {
 		/* FIXME: XXX: this is not binary data safe */
-		r = php_url_encode(value, strlen (value));
-		sprintf(cookie, "Set-Cookie: %s=%s", name, value ? r : "");
-		if (r) efree(r);
+		sprintf(cookie, "Set-Cookie: %s=%s", name, value ? encoded_value : "");
 		if (value) efree(value);
 		value=NULL;
 		if (name) efree(name);
@@ -330,6 +329,9 @@ PHP_FUNCTION(setcookie)
 			efree(dt);
 		}
 	}
+
+	if (encoded_value) efree(encoded_value);
+
 	if (path && strlen(path)) {
 		strcat(cookie, "; path=");
 		strcat(cookie, path);