From: Yasuo Ohgaki <yohgaki@php.net>
Date: Mon, 20 May 2002 01:40:22 +0000 (+0000)
Subject: Fixed possible pg_lo_write() overflow and make it more fail safe.
X-Git-Tag: RELEASE_0_4~8
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=62b8c290836cbed1e8918153da25d08e48b8a3ab;p=php

Fixed possible pg_lo_write() overflow and make it more fail safe.
---

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 2ec9304914..f4e41dd738 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -1904,6 +1904,16 @@ PHP_FUNCTION(pg_lo_write)
 
 	if (argc > 2) {
 		convert_to_long_ex(z_len);
+		if (Z_LVAL_PP(z_len) > Z_STRLEN_PP(str)) {
+			php_error(E_WARNING, "%s() cannot write more than buffer size %d. Tried to wtite %d",
+					  get_active_function_name(TSRMLS_C), Z_LVAL_PP(str), Z_LVAL_PP(z_len));
+			RETURN_FALSE;
+		}
+		if (Z_LVAL_PP(z_len) < 0) {
+			php_error(E_WARNING, "%s() buffer size must be larger than 0. %d specified for buffer size.",
+					  get_active_function_name(TSRMLS_C), Z_LVAL_PP(str), Z_LVAL_PP(z_len));
+			RETURN_FALSE;
+		}
 		len = Z_LVAL_PP(z_len);
 	}
 	else {
@@ -1925,7 +1935,7 @@ PHP_FUNCTION(pg_lo_write)
 PHP_FUNCTION(pg_lo_read_all)
 {
   	zval **pgsql_id;
-	int i, tbytes;
+	int tbytes;
 	volatile int nbytes;
 	char buf[PGSQL_LO_READ_BUF_SIZE];
 	pgLofp *pgsql;