Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)

2025-08-15 21:48:51 +02:00 · 2016-07-03 09:30:33 +08:00 · 2016-07-03 09:30:33 +08:00 · 6744737577
commit 6744737577
parent c9fa39da5e
2 changed files with 8 additions and 0 deletions
--- a/3
+++ b/3
@ -32,6 +32,9 @@ PHP                                                                        NEWS
  . Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
    (Laruence)

+- Session:
+  . Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence)
+
 - Streams:
  . Fixed bug #72439 (Stream socket with remote address leads to a segmentation
    fault). (Laruence)
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@ -294,6 +294,11 @@ static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime)

 	dirname_len = strlen(dirname);

+	if (dirname_len >= MAXPATHLEN) {
+		php_error_docref(NULL, E_NOTICE, "ps_files_cleanup_dir: dirname(%s) is too long", dirname);
+		return (0);
+	}
+
 	/* Prepare buffer (dirname never changes) */
 	memcpy(buf, dirname, dirname_len);
 	buf[dirname_len] = PHP_DIR_SEPARATOR;