From 93ffc14028841076b75610139271bb9408275f3c Mon Sep 17 00:00:00 2001
From: Rob Richards <rrichards@php.net>
Date: Wed, 5 Oct 2005 22:36:10 +0000
Subject: [PATCH] MFH: fix buffer lengths passed to snprintf

---
 ext/wddx/php_wddx_api.h | 3 +++
 ext/wddx/wddx.c         | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ext/wddx/php_wddx_api.h b/ext/wddx/php_wddx_api.h
index edd788498e..3c62f70205 100644
--- a/ext/wddx/php_wddx_api.h
+++ b/ext/wddx/php_wddx_api.h
@@ -47,6 +47,9 @@
 #define WDDX_VAR_S				"<var name='%s'>"
 #define WDDX_VAR_E				"</var>"
 
+#define WDDX_NUMBER_LEN			17
+#define WDDX_VAR_S_LEN			13
+
 #define php_wddx_add_chunk(packet, str)	smart_str_appends(packet, str)
 #define php_wddx_add_chunk_ex(packet, str, len)	smart_str_appendl(packet, str, len)
 #define php_wddx_add_chunk_static(packet, str) smart_str_appendl(packet, str, sizeof(str)-1)
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 3bd8bcf596..14da1cb952 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -422,7 +422,7 @@ static void php_wddx_serialize_number(wddx_packet *packet, zval *var)
 	tmp = *var;
 	zval_copy_ctor(&tmp);
 	convert_to_string(&tmp);
-	snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp));
+	snprintf(tmp_buf, Z_STRLEN(tmp) + WDDX_NUMBER_LEN + 1, WDDX_NUMBER, Z_STRVAL(tmp));
 	zval_dtor(&tmp);
 
 	php_wddx_add_chunk(packet, tmp_buf);	
@@ -624,8 +624,8 @@ void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name
 
 	if (name) {
 		name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
-		tmp_buf = emalloc(name_esc_len + 1);
-		snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc);
+		tmp_buf = emalloc(name_esc_len + WDDX_VAR_S_LEN + 1);
+		snprintf(tmp_buf, name_esc_len + WDDX_VAR_S_LEN + 1, WDDX_VAR_S, name_esc);
 		php_wddx_add_chunk(packet, tmp_buf);
 		efree(tmp_buf);
 		efree(name_esc);
-- 
2.40.0