From 2af0c3bbdf6bbad899216780d49f3aac28dce83d Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 25 Feb 2004 22:12:03 +0000
Subject: [PATCH] MFH: 	Fixed bug #21760 (Use of uninitialized pointer inside
 php_read()). 	Fixed 3 possible crashes due to integer overflow or invalid
 user input 	inside the sockets extension.

---
 NEWS                  |  4 ++++
 ext/sockets/sockets.c | 16 +++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index d12ef3c31c..40d8c0d7c7 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Feb 2004, Version 4.3.5
+- Fixed possible crashes inside socket extension, due to missing check inside
+  allocation functions. (Ilia)
 - Fixed bug #27384 (unpack() misbehaves with 1 char string). (GeorgeS)
 - Fixed bug #27383 (Potential crash inside fopen_wrapper, while parsing
   response code). (Ilia)
@@ -16,6 +18,8 @@ PHP 4                                                                      NEWS
   (Jani, Markus dot Lidel at shadowconnect dot com)
 - Fixed bug #26005 (Random "cannot change the session ini settings" errors).
   (Jani, jsnajdr at kerio dot com)
+- Fixed bug #21760 (Use of uninitialized pointer inside php_read()). (Ilia, 
+  uce at ftc dot gov)
 
 16 Feb 2004, Version 4.3.5RC3
 - Fixed zero bytes memory allocation when no extra ini files are found in the
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index f2e1a706ae..419b55fea2 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -294,6 +294,7 @@ static int php_read(int bsd_socket, void *buf, size_t maxlen, int flags)
 
 	set_errno(0);
 
+	*t = '\0';
 	while (*t != '\n' && *t != '\r' && n < maxlen) {
 		if (m > 0) {
 			t++;
@@ -808,7 +809,10 @@ PHP_FUNCTION(socket_read)
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|l", &arg1, &length, &type) == FAILURE)
 		return;
 
-	if(length<0) RETURN_FALSE;
+	/* overflow check */
+	if((length + 1) < 2) {
+		RETURN_FALSE;
+	}
 	tmpbuf = emalloc(length + 1);
 	
 	ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, le_socket);
@@ -1372,6 +1376,11 @@ PHP_FUNCTION(socket_recv)
 
 	ZEND_FETCH_RESOURCE(php_sock, php_socket *, &php_sock_res, -1, le_socket_name, le_socket);
 
+	/* overflow check */
+	if ((len + 1) < 2) {
+		RETURN_FALSE;
+	}
+
 	recv_buf = emalloc(len + 1);
 	memset(recv_buf, 0, len + 1);
 
@@ -1446,6 +1455,11 @@ PHP_FUNCTION(socket_recvfrom)
 
 	if(arg3<0) RETURN_FALSE;
 
+	/* overflow check */
+	if ((arg3 + 2) < 3) {
+		RETURN_FALSE;
+	}
+
 	recv_buf = emalloc(arg3 + 2);
 	memset(recv_buf, 0, arg3 + 2);
 	
-- 
2.40.0