From 315cdad9b01d10c95e44ab2d359fe244f0edfdd2 Mon Sep 17 00:00:00 2001 From: foobar Date: Wed, 31 Aug 2005 14:30:46 +0000 Subject: [PATCH] - Fixed bug #34306 (wddx_serialize_value() crashes with long array keys) --- ext/wddx/tests/bug34306.phpt | 12 ++++++++++++ ext/wddx/wddx.c | 8 +++++--- 2 files changed, 17 insertions(+), 3 deletions(-) create mode 100755 ext/wddx/tests/bug34306.phpt diff --git a/ext/wddx/tests/bug34306.phpt b/ext/wddx/tests/bug34306.phpt new file mode 100755 index 0000000000..2212dad918 --- /dev/null +++ b/ext/wddx/tests/bug34306.phpt @@ -0,0 +1,12 @@ +--TEST-- +#34306 (wddx_serialize_value() crashes with long array keys) +--FILE-- + 1); +$buf = wddx_serialize_value($var, 'name'); +echo "OK\n"; + +?> +--EXPECT-- +OK diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index d08cd6593a..2d1fa64509 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -423,7 +423,7 @@ static void php_wddx_serialize_number(wddx_packet *packet, zval *var) tmp = *var; zval_copy_ctor(&tmp); convert_to_string(&tmp); - sprintf(tmp_buf, WDDX_NUMBER, Z_STRVAL(tmp)); + snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp)); zval_dtor(&tmp); php_wddx_add_chunk(packet, tmp_buf); @@ -618,15 +618,17 @@ static void php_wddx_serialize_array(wddx_packet *packet, zval *arr) */ void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name_len TSRMLS_DC) { - char tmp_buf[WDDX_BUF_LEN]; + char *tmp_buf; char *name_esc; int name_esc_len; HashTable *ht; if (name) { name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC); - sprintf(tmp_buf, WDDX_VAR_S, name_esc); + tmp_buf = emalloc(name_esc_len + 1); + snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc); php_wddx_add_chunk(packet, tmp_buf); + efree(tmp_buf); efree(name_esc); } -- 2.50.1