diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2016-09-06 12:05:22 +0200 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2016-09-06 12:05:58 +0200 |
commit | dad793630d5966a9c22f3fcd7f24b7937bd1a36f (patch) | |
tree | 23f86bbecf4a3ee50d9e946165750376990e8824 | |
parent | 3a35d43ad9000d1a573d08784aead356e2ae3535 (diff) | |
download | php-git-dad793630d5966a9c22f3fcd7f24b7937bd1a36f.tar.gz |
Fix #73025: Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c
`command_length` is retrieved via strlen() and later passed to emalloc()
and memcpy(), so the appropriate type is `size_t`.
We don't add a regression test, because that would need to allocate a string
of at least 2 GiB.
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | Zend/zend_virtual_cwd.c | 2 |
2 files changed, 5 insertions, 1 deletions
@@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2016, PHP 5.6.27 +- Core: + . Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of + zend_virtual_cwd.c). (cmb) + - Filter: . Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE). (julien) diff --git a/Zend/zend_virtual_cwd.c b/Zend/zend_virtual_cwd.c index 5a5bccecab..875c8da41c 100644 --- a/Zend/zend_virtual_cwd.c +++ b/Zend/zend_virtual_cwd.c @@ -1896,7 +1896,7 @@ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* #else /* Unix */ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* {{{ */ { - int command_length; + size_t command_length; int dir_length, extra = 0; char *command_line; char *ptr, *dir; |