From: Xinchen Hui <laruence@gmail.com>
Date: Sun, 3 Jul 2016 01:30:33 +0000 (+0800)
Subject: Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
X-Git-Tag: php-7.0.9RC1~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6744737577bcbae4ff3d0082f23c9282758cacbb;p=php

Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
---

diff --git a/NEWS b/NEWS
index c8abefe432..3e2be90c56 100644
--- a/NEWS
+++ b/NEWS
@@ -32,6 +32,9 @@ PHP                                                                        NEWS
   . Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
     (Laruence)
 
+- Session:
+  . Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
+
 - Streams:
   . Fixed bug #72439 (Stream socket with remote address leads to a segmentation
     fault). (Laruence)
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
index b380cfe86b..64a6c47e00 100644
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -294,6 +294,11 @@ static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime)
 
 	dirname_len = strlen(dirname);
 
+	if (dirname_len >= MAXPATHLEN) {
+		php_error_docref(NULL, E_NOTICE, "ps_files_cleanup_dir: dirname(%s) is too long", dirname);
+		return (0);
+	}
+
 	/* Prepare buffer (dirname never changes) */
 	memcpy(buf, dirname, dirname_len);
 	buf[dirname_len] = PHP_DIR_SEPARATOR;