archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #73025: Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c

Browse source 
`command_length` is retrieved via strlen() and later passed to emalloc()
and memcpy(), so the appropriate type is `size_t`.

We don't add a regression test, because that would need to allocate a string
of at least 2 GiB.
This commit is contained in:
Christoph M. Becker 2016-09-06 12:05:22 +02:00
parent 3a35d43ad9
commit dad793630d
2 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
NEWS
View file

@ -2,6 +2,10 @@ PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2016, PHP 5.6.27
- Core:
. Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of
zend_virtual_cwd.c). (cmb)
- Filter:
. Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and
FILTER_FLAG_NO_PRIV_RANGE). (julien)

2
Zend/zend_virtual_cwd.c
View file

@ -1896,7 +1896,7 @@ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /*
#else /* Unix */
CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* {{{ */
{
int command_length;
size_t command_length;
int dir_length, extra = 0;
char *command_line;
char *ptr, *dir;