From 34dc00fd7a1f7a7656c154170b13b7dd69276a20 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Sat, 23 Dec 2006 23:29:41 +0000 Subject: [PATCH] MFB: safety checks --- ext/zip/php_zip.c | 23 +++++++++++------------ ext/zip/zip_stream.c | 8 ++++---- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 075124db67..bc76ee8d68 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -83,30 +83,29 @@ static int le_zip_entry; /* {{{ php_zip_extract_file */ /* TODO: Simplify it */ -static int php_zip_extract_file(struct zip * za, char *dest, char *file TSRMLS_DC) +static int php_zip_extract_file(struct zip * za, char *dest, char *file, int file_len TSRMLS_DC) { php_stream_statbuf ssb; struct zip_file *zf; struct zip_stat sb; char b[8192]; - int n, len, ret, file_len; + int n, len, ret; php_stream *stream; char *fullpath; char *file_dirname_fullpath; - char file_dirname[MAXPATHLEN + 1]; + char file_dirname[MAXPATHLEN]; size_t dir_len; char *file_basename; size_t file_basename_len; - if (zip_stat(za, file, 0, &sb)) { + if (file_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb)) { return 0; } - file_len = strlen(file); memcpy(file_dirname, file, file_len); dir_len = php_dirname(file_dirname, file_len); @@ -117,7 +116,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file TSRMLS_D len = spprintf(&file_dirname_fullpath, 0, "%s", dest); } - php_basename(file, file_len, NULL, 0, &file_basename, (int *)&file_basename_len TSRMLS_CC); + php_basename(file, file_len, NULL, 0, &file_basename, &file_basename_len TSRMLS_CC); /* let see if the path already exists */ if (php_stream_stat_path(file_dirname_fullpath, &ssb) < 0) { @@ -876,7 +875,7 @@ static ZIPARCHIVE_METHOD(open) int filename_len; int err = 0; long flags = 0; - char resolved_path[MAXPATHLEN + 1]; + char resolved_path[MAXPATHLEN]; zval *this = getThis(); ze_zip_object *ze_obj = NULL; @@ -995,7 +994,7 @@ static ZIPARCHIVE_METHOD(addFile) struct zip_source *zs; long offset_start = 0, offset_len = 0; int cur_idx, res; - char resolved_path[MAXPATHLEN + 1]; + char resolved_path[MAXPATHLEN]; if (!this) { RETURN_FALSE; @@ -1759,7 +1758,7 @@ static ZIPARCHIVE_METHOD(extractTo) RETURN_FALSE; } - if (!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) { + if (!php_zip_extract_file(intern, pathto, file, file_len TSRMLS_CC)) { efree(file); RETURN_FALSE; } @@ -1789,7 +1788,7 @@ static ZIPARCHIVE_METHOD(extractTo) RETURN_FALSE; } - if (!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) { + if (!php_zip_extract_file(intern, pathto, file, file_len TSRMLS_CC)) { efree(file); RETURN_FALSE; } @@ -1814,7 +1813,7 @@ static ZIPARCHIVE_METHOD(extractTo) for (i = 0; i < filecount; i++) { file = (char*)zip_get_name(intern, i, ZIP_FL_UNCHANGED); - if (!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) { + if (!php_zip_extract_file(intern, pathto, file, strlen(file) TSRMLS_CC)) { RETURN_FALSE; } } @@ -1877,7 +1876,7 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ RETURN_FALSE; } - buffer = safe_emalloc(len + 1, 1, 1); + buffer = safe_emalloc(len, 1, 2); n = zip_fread(zf, buffer, len); if (n < 1) { RETURN_EMPTY_STRING(); diff --git a/ext/zip/zip_stream.c b/ext/zip/zip_stream.c index 83e9ceab3e..c36df3e4c0 100644 --- a/ext/zip/zip_stream.c +++ b/ext/zip/zip_stream.c @@ -153,7 +153,7 @@ php_stream *php_stream_zip_opener(php_stream_wrapper *wrapper, char *file_basename; size_t file_basename_len; - char file_dirname[MAXPATHLEN+1]; + char file_dirname[MAXPATHLEN]; struct zip *za; struct zip_file *zf = NULL; @@ -179,15 +179,15 @@ php_stream *php_stream_zip_opener(php_stream_wrapper *wrapper, return NULL; } path_len = strlen(path); + if (path_len >= MAXPATHLEN || mode[0] != 'r') { + return NULL; + } memcpy(file_dirname, path, path_len - fragment_len); file_dirname[path_len - fragment_len] = '\0'; php_basename(path, path_len - fragment_len, NULL, 0, &file_basename, &file_basename_len TSRMLS_CC); fragment++; - if (mode[0] != 'r') { - return NULL; - } za = zip_open(file_dirname, ZIP_CREATE, &err); if (za) { -- 2.40.0