From dad793630d5966a9c22f3fcd7f24b7937bd1a36f Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 6 Sep 2016 12:05:22 +0200 Subject: [PATCH] Fix #73025: Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c `command_length` is retrieved via strlen() and later passed to emalloc() and memcpy(), so the appropriate type is `size_t`. We don't add a regression test, because that would need to allocate a string of at least 2 GiB. --- NEWS | 4 ++++ Zend/zend_virtual_cwd.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 2689431207..b11b28380a 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2016, PHP 5.6.27 +- Core: + . Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of + zend_virtual_cwd.c). (cmb) + - Filter: . Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE). (julien) diff --git a/Zend/zend_virtual_cwd.c b/Zend/zend_virtual_cwd.c index 5a5bccecab..875c8da41c 100644 --- a/Zend/zend_virtual_cwd.c +++ b/Zend/zend_virtual_cwd.c @@ -1896,7 +1896,7 @@ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* #else /* Unix */ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* {{{ */ { - int command_length; + size_t command_length; int dir_length, extra = 0; char *command_line; char *ptr, *dir; -- 2.49.0