MFH fix for #34306 (wddx_serialize_value() crashes with long array keys)

author: Antony Dovgal <tony2001@php.net> 2006-05-19 10:37:32 +0000
committer: Antony Dovgal <tony2001@php.net> 2006-05-19 10:37:32 +0000
commit: 7eda78c8ce9b76afbb51264229be1e6097582cac (patch)
tree: 815549343ef3dd05fbd6f5e99c0291d26c5c6722
parent: 5795b68a12bb4f6f2150b3e3414a041f8ab73f31 (diff)
download: php-git-7eda78c8ce9b76afbb51264229be1e6097582cac.tar.gz
1 files changed, 6 insertions, 4 deletions
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 0b59a0afbf..a375997556 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -432,7 +432,7 @@ static void php_wddx_serialize_number(wddx_packet *packet, zval *var)
 	tmp = *var;
 	zval_copy_ctor(&tmp);
 	convert_to_string(&tmp);
-	sprintf(tmp_buf, WDDX_NUMBER, Z_STRVAL(tmp));
+	snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp));
 	zval_dtor(&tmp);
 
 	php_wddx_add_chunk(packet, tmp_buf);	
@@ -624,17 +624,19 @@ static void php_wddx_serialize_array(wddx_packet *packet, zval *arr)
  */
 void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name_len TSRMLS_DC)
 {
-	char tmp_buf[WDDX_BUF_LEN];
+	char *tmp_buf;
 	char *name_esc;
 	int name_esc_len;
 
 	if (name) {
 		name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
-		sprintf(tmp_buf, WDDX_VAR_S, name_esc);
+		tmp_buf = emalloc(name_esc_len + 1);
+		snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc);
 		php_wddx_add_chunk(packet, tmp_buf);
+		efree(tmp_buf);
 		efree(name_esc);
 	}
-	
+
 	switch(Z_TYPE_P(var)) {
 		case IS_STRING:
 			php_wddx_serialize_string(packet, var);
author	Antony Dovgal <tony2001@php.net>	2006-05-19 10:37:32 +0000
committer	Antony Dovgal <tony2001@php.net>	2006-05-19 10:37:32 +0000
commit	7eda78c8ce9b76afbb51264229be1e6097582cac (patch)
tree	815549343ef3dd05fbd6f5e99c0291d26c5c6722
parent	5795b68a12bb4f6f2150b3e3414a041f8ab73f31 (diff)
download	php-git-7eda78c8ce9b76afbb51264229be1e6097582cac.tar.gz