MFB: Fixed possible buffer overflows inside the fnmatch() and glob()

functions
This commit is contained in:
Ilia Alshanetsky 2007-09-05 12:55:36 +00:00
parent 74c08d50d5
commit 4ed9af35cd
2 changed files with 10 additions and 0 deletions

View file

@ -427,6 +427,11 @@ PHP_FUNCTION(glob)
return; return;
} }
if (pattern_len >= MAXPATHLEN) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN);
RETURN_FALSE;
}
if ((GLOB_AVAILABLE_FLAGS & flags) != flags) { if ((GLOB_AVAILABLE_FLAGS & flags) != flags) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform"); php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform");
RETURN_FALSE; RETURN_FALSE;

View file

@ -2894,6 +2894,11 @@ PHP_FUNCTION(fnmatch)
zend_unicode_to_string_ex(UG(utf8_conv), &filename_utf8, &filename_utf8_len, filename.u, filename_len, &status); zend_unicode_to_string_ex(UG(utf8_conv), &filename_utf8, &filename_utf8_len, filename.u, filename_len, &status);
pattern.s = pattern_utf8; pattern.s = pattern_utf8;
filename.s = filename_utf8; filename.s = filename_utf8;
filename_len = filename_utf8_len;
}
if (filename_len >= MAXPATHLEN) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN);
RETURN_FALSE;
} }
RETVAL_BOOL( ! fnmatch( pattern.s, filename.s, flags )); RETVAL_BOOL( ! fnmatch( pattern.s, filename.s, flags ));