From: Stanislav Malyshev <stas@php.net>
Date: Thu, 29 Sep 2016 06:30:48 +0000 (-0700)
Subject: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
X-Git-Tag: php-7.1.0RC4~21^2~17
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c4c2cce37dd99bbcf1411ad8d6884c3c927d7bc9;p=php

Fix bug #73189 - Memcpy negative size parameter php_resolve_path

(cherry picked from commit da7e89cde880c66887caacd0a3eae7ecdacf9b2a)
---

diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index bf78db3bdf..b554c38039 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -536,7 +536,7 @@ PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length,
 		}
 		end = strchr(p, DEFAULT_DIR_SEPARATOR);
 		if (end) {
-			if ((end-ptr) + 1 + filename_length + 1 >= MAXPATHLEN) {
+			if (filename_length > (MAXPATHLEN - 2) || (end-ptr) > MAXPATHLEN || (end-ptr) + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
 				ptr = end + 1;
 				continue;
 			}
@@ -545,9 +545,9 @@ PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length,
 			memcpy(trypath+(end-ptr)+1, filename, filename_length+1);
 			ptr = end+1;
 		} else {
-			int len = (int)strlen(ptr);
+			size_t len = strlen(ptr);
 
-			if (len + 1 + filename_length + 1 >= MAXPATHLEN) {
+			if (filename_length > (MAXPATHLEN - 2) || len > MAXPATHLEN || len + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
 				break;
 			}
 			memcpy(trypath, ptr, len);
@@ -585,6 +585,7 @@ PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length,
 
 		while ((--exec_fname_length < SIZE_MAX) && !IS_SLASH(exec_fname[exec_fname_length]));
 		if (exec_fname_length > 0 &&
+			filename_length < (MAXPATHLEN - 2) &&
 		    exec_fname_length + 1 + filename_length + 1 < MAXPATHLEN) {
 			memcpy(trypath, exec_fname, exec_fname_length + 1);
 			memcpy(trypath+exec_fname_length + 1, filename, filename_length+1);