From 4ed9af35cdd10854eaa3a4bfef3ca55ff1cf0658 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 5 Sep 2007 12:55:36 +0000
Subject: [PATCH] MFB: Fixed possible buffer overflows inside the fnmatch() and
 glob() functions

---
 ext/standard/dir.c  | 5 +++++
 ext/standard/file.c | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index f282a80464..275d102bcf 100644
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -427,6 +427,11 @@ PHP_FUNCTION(glob)
 		return;
 	}
 
+	if (pattern_len >= MAXPATHLEN) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN);
+		RETURN_FALSE;
+	}
+
 	if ((GLOB_AVAILABLE_FLAGS & flags) != flags) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform");
 		RETURN_FALSE;
diff --git a/ext/standard/file.c b/ext/standard/file.c
index 39a71f10ac..3ea5ee8f8d 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -2894,6 +2894,11 @@ PHP_FUNCTION(fnmatch)
 		zend_unicode_to_string_ex(UG(utf8_conv), &filename_utf8, &filename_utf8_len, filename.u, filename_len, &status);
 		pattern.s = pattern_utf8;
 		filename.s = filename_utf8;
+		filename_len = filename_utf8_len;
+	}
+	if (filename_len >= MAXPATHLEN) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN);
+		RETURN_FALSE;
 	}
 
 	RETVAL_BOOL( ! fnmatch( pattern.s, filename.s, flags ));
-- 
2.40.0