diff options
| author | Xinchen Hui <laruence@gmail.com> | 2016-07-03 09:30:33 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@gmail.com> | 2016-07-03 09:30:33 +0800 |
| commit | 6744737577bcbae4ff3d0082f23c9282758cacbb (patch) | |
| tree | c14c0aee1c1d112ac99ced29a6b1f3a9300bfd76 | |
| parent | c9fa39da5eaf87a55cef75f8412ed07040a7b499 (diff) | |
| download | php-git-6744737577bcbae4ff3d0082f23c9282758cacbb.tar.gz | |
Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/session/mod_files.c | 5 |
2 files changed, 8 insertions, 0 deletions
@@ -32,6 +32,9 @@ PHP NEWS . Fixed bug #72306 (Heap overflow through proc_open and $env parameter). (Laruence) +- Session: + . Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow). (Laruence) + - Streams: . Fixed bug #72439 (Stream socket with remote address leads to a segmentation fault). (Laruence) diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c index b380cfe86b..64a6c47e00 100644 --- a/ext/session/mod_files.c +++ b/ext/session/mod_files.c @@ -294,6 +294,11 @@ static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime) dirname_len = strlen(dirname); + if (dirname_len >= MAXPATHLEN) { + php_error_docref(NULL, E_NOTICE, "ps_files_cleanup_dir: dirname(%s) is too long", dirname); + return (0); + } + /* Prepare buffer (dirname never changes) */ memcpy(buf, dirname, dirname_len); buf[dirname_len] = PHP_DIR_SEPARATOR; |