archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GH-10715: phpdbg heap buffer overflow -- by misuse of the option "--run"

Browse source 
Fixes GH-10715

When a string starting with a NUL character is passed to
phpdbg_vprint(), the vasprintf() will return that 0 characters have been
printed. This causes msglen == 0. When phpdbg_process_print() is called
with a message of length 0, the -1 to check for '\n' will perform an out
of bounds read. Since nothing is printed anyway for msglen == 0, it
seems best to just skip the printing routine for this case.

Closes GH-10720.
This commit is contained in:
Niels Dossche 2023-02-27 19:44:42 +01:00 committed by David Carlier
parent 44e5c04e55
commit 0f21cbc57c
3 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -61,6 +61,9 @@ PHP NEWS
. Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars). . Fixed bug #60994 (Reading a multibyte CLOB caps at 8192 chars).
(Michael Voříšek) (Michael Voříšek)
- PHPDBG:
. Fixed bug GH-10715 (heap buffer overflow on --run option misuse). (nielsdos)
- PGSQL: - PGSQL:
. Fix GH-10672 (pg_lo_open segfaults in the strict_types mode). (girgias) . Fix GH-10672 (pg_lo_open segfaults in the strict_types mode). (girgias)

6
sapi/phpdbg/phpdbg_out.c
View file

@ -143,7 +143,11 @@ PHPDBG_API int phpdbg_vprint(int type, int fd, const char *strfmt, va_list args)
return msglen; return msglen;
} }
len = phpdbg_process_print(fd, type, msg, msglen); if (UNEXPECTED(msglen == 0)) {
len = 0;
} else {
len = phpdbg_process_print(fd, type, msg, msglen);
}
if (msg) { if (msg) {
free(msg); free(msg);

BIN
sapi/phpdbg/tests/gh10715.phpt Normal file
View file

Binary file not shown.