archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

make length check more robust

Browse source
This commit is contained in:
Anatol Belski 2017-01-24 13:24:11 +01:00
parent 9aad38038e
commit 403f352482
1 changed files with 6 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

10
Zend/zend_virtual_cwd.c
View file

@ -965,7 +965,7 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
#endif #endif
substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR); substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
if (substitutename_len > MAXPATHLEN) { if (substitutename_len >= MAXPATHLEN) {
free_alloca(pbuffer, use_heap_large); free_alloca(pbuffer, use_heap_large);
free_alloca(tmp, use_heap); free_alloca(tmp, use_heap);
FREE_PATHW() FREE_PATHW()
@ -974,9 +974,10 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength); memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
tmpsubstname[substitutename_len] = L'\0'; tmpsubstname[substitutename_len] = L'\0';
substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len); substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
if (!substitutename) { if (!substitutename || substitutename_len >= MAXPATHLEN) {
free_alloca(pbuffer, use_heap_large); free_alloca(pbuffer, use_heap_large);
free_alloca(tmp, use_heap); free_alloca(tmp, use_heap);
free(substitutename);
#if VIRTUAL_CWD_DEBUG #if VIRTUAL_CWD_DEBUG
free(printname); free(printname);
#endif #endif
@ -999,7 +1000,7 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR); substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
if (substitutename_len > MAXPATHLEN) { if (substitutename_len >= MAXPATHLEN) {
free_alloca(pbuffer, use_heap_large); free_alloca(pbuffer, use_heap_large);
free_alloca(tmp, use_heap); free_alloca(tmp, use_heap);
FREE_PATHW() FREE_PATHW()
@ -1008,9 +1009,10 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength); memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
tmpsubstname[substitutename_len] = L'\0'; tmpsubstname[substitutename_len] = L'\0';
substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len); substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
if (!substitutename) { if (!substitutename || substitutename_len >= MAXPATHLEN) {
free_alloca(pbuffer, use_heap_large); free_alloca(pbuffer, use_heap_large);
free_alloca(tmp, use_heap); free_alloca(tmp, use_heap);
free(substitutename);
#if VIRTUAL_CWD_DEBUG #if VIRTUAL_CWD_DEBUG
free(printname); free(printname);
#endif #endif