diff options
author | Stanislav Malyshev <stas@php.net> | 2016-09-28 23:30:48 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-09-28 23:30:48 -0700 |
commit | da7e89cde880c66887caacd0a3eae7ecdacf9b2a (patch) | |
tree | ad9fd29bd979660a9e9937fa29ecb674844ae004 | |
parent | 29e2a204fb42af061e66a9f847ffbc8f1d13897a (diff) | |
download | php-git-da7e89cde880c66887caacd0a3eae7ecdacf9b2a.tar.gz |
Fix bug #73189 - Memcpy negative size parameter php_resolve_path
-rw-r--r-- | main/fopen_wrappers.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c index 74a493b2bf..af9c558b04 100644 --- a/main/fopen_wrappers.c +++ b/main/fopen_wrappers.c @@ -211,7 +211,7 @@ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path if (path_len > 1 && path_tmp[path_len - 2] == ':') { if (path_len != 3) { return -1; - } + } /* this is c:\ */ path_tmp[path_len] = '\0'; } else { @@ -401,7 +401,7 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle TSRMLS_DC) spprintf(&filename, 0, "%s%c%s%c%s", pw->pw_dir, PHP_DIR_SEPARATOR, PG(user_dir), PHP_DIR_SEPARATOR, s + 1); /* Safe */ } else { filename = SG(request_info).path_translated; - } + } #if defined(ZTS) && defined(HAVE_GETPWNAM_R) && defined(_SC_GETPW_R_SIZE_MAX) efree(pwbuf); #endif @@ -494,8 +494,8 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c return NULL; } - if ((*filename == '.' && - (IS_SLASH(filename[1]) || + if ((*filename == '.' && + (IS_SLASH(filename[1]) || ((filename[1] == '.') && IS_SLASH(filename[2])))) || IS_ABSOLUTE_PATH(filename, filename_length) || !path || @@ -522,7 +522,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c } end = strchr(p, DEFAULT_DIR_SEPARATOR); if (end) { - if ((end-ptr) + 1 + filename_length + 1 >= MAXPATHLEN) { + if (filename_length > (MAXPATHLEN - 2) || (end-ptr) > MAXPATHLEN || (end-ptr) + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) { ptr = end + 1; continue; } @@ -531,9 +531,9 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c memcpy(trypath+(end-ptr)+1, filename, filename_length+1); ptr = end+1; } else { - int len = strlen(ptr); + size_t len = strlen(ptr); - if (len + 1 + filename_length + 1 >= MAXPATHLEN) { + if (filename_length > (MAXPATHLEN - 2) || len > MAXPATHLEN || (size_t)len + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) { break; } memcpy(trypath, ptr, len); @@ -571,6 +571,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c while ((--exec_fname_length >= 0) && !IS_SLASH(exec_fname[exec_fname_length])); if (exec_fname && exec_fname[0] != '[' && exec_fname_length > 0 && + filename_length < (MAXPATHLEN - 2) && exec_fname_length + 1 + filename_length + 1 < MAXPATHLEN) { memcpy(trypath, exec_fname, exec_fname_length + 1); memcpy(trypath+exec_fname_length + 1, filename, filename_length+1); |