diff options
| author | Xinchen Hui <laruence@gmail.com> | 2018-04-10 16:32:08 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2018-04-10 16:32:08 +0800 |
| commit | 8cfb648761229727fd66866092f7fa84dd3922fc (patch) | |
| tree | bf76c9a02b30bcfc91d3989902f2f5b355ce8440 | |
| parent | 09d7ffabcd99fe9b99c4206f321fecc506635072 (diff) | |
| download | php-git-8cfb648761229727fd66866092f7fa84dd3922fc.tar.gz | |
Fixed bug #76143 (Memory corruption: arbitrary NUL overwrite)
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | sapi/phpdbg/phpdbg_io.c | 21 |
2 files changed, 11 insertions, 13 deletions
@@ -22,6 +22,9 @@ PHP NEWS . Fixed bug #76113 (mbstring does not build with Oniguruma 6.8.1). (chrullrich, cmb) +- phpdbg: + . Fixed bug #76143 (Memory corruption: arbitrary NUL overwrite). (Laruence) + - SPL: . Fixed bug #76131 (mismatch arginfo for splarray constructor). (carusogabriel) diff --git a/sapi/phpdbg/phpdbg_io.c b/sapi/phpdbg/phpdbg_io.c index ee5a656b60..1bf7227b1f 100644 --- a/sapi/phpdbg/phpdbg_io.c +++ b/sapi/phpdbg/phpdbg_io.c @@ -290,7 +290,7 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short } } - snprintf(port_buf, 7, "%u", port); + snprintf(port_buf, sizeof(port_buf), "%u", port); if (!any_addr) { rc = getaddrinfo(addr, port_buf, &hints, &res); } else { @@ -301,20 +301,18 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short #ifndef PHP_WIN32 if (rc == EAI_SYSTEM) { char buf[128]; - int wrote; - wrote = snprintf(buf, 128, "Could not translate address '%s'", addr); - buf[wrote] = '\0'; + snprintf(buf, sizeof(buf), "Could not translate address '%s'", addr); + zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf)); return sock; } else { #endif char buf[256]; - int wrote; - wrote = snprintf(buf, 256, "Host '%s' not found. %s", addr, estrdup(gai_strerror(rc))); - buf[wrote] = '\0'; + snprintf(buf, sizeof(buf), "Host '%s' not found. %s", addr, estrdup(gai_strerror(rc))); + zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf)); return sock; @@ -324,13 +322,10 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short return sock; } - if((sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1) { - char buf[128]; - int wrote; + if ((sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1) { + const char *msg = "Unable to create socket"; - wrote = sprintf(buf, "Unable to create socket"); - buf[wrote] = '\0'; - zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf)); + zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, msg, strlen(msg)); return sock; } |