From: Sara Golemon <pollita@php.net>
Date: Tue, 10 Jun 2014 18:18:02 +0000 (-0700)
Subject: Fix potential segfault in dns_get_record()
X-Git-Tag: php-5.3.29RC1~29
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d400b74296989afadddc960db5ad103bf61e51d0;p=php

Fix potential segfault in dns_get_record()

If the remote sends us a packet with a malformed TXT record,
we could end up trying to over-consume the packet and wander
off into overruns.
---

diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 8e24a817ff..67ea459ea2 100644
--- a/ext/standard/dns.c
+++ b/ext/standard/dns.c
@@ -507,6 +507,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 				
 				while (ll < dlen) {
 					n = cp[ll];
+					if ((ll + n) >= dlen) {
+						// Invalid chunk length, truncate
+						n = dlen - (ll + 1);
+					}
 					memcpy(tp + ll , cp + ll + 1, n);
 					add_next_index_stringl(entries, cp + ll + 1, n, 1);
 					ll = ll + n + 1;