summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorXinchen Hui <laruence@gmail.com>2018-04-10 16:32:08 +0800
committerXinchen Hui <laruence@gmail.com>2018-04-10 16:32:08 +0800
commit8cfb648761229727fd66866092f7fa84dd3922fc (patch)
treebf76c9a02b30bcfc91d3989902f2f5b355ce8440
parent09d7ffabcd99fe9b99c4206f321fecc506635072 (diff)
downloadphp-git-8cfb648761229727fd66866092f7fa84dd3922fc.tar.gz
Fixed bug #76143 (Memory corruption: arbitrary NUL overwrite)
-rw-r--r--NEWS3
-rw-r--r--sapi/phpdbg/phpdbg_io.c21
2 files changed, 11 insertions, 13 deletions
diff --git a/NEWS b/NEWS
index 22b6d86c3e..dce15ca4dd 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,9 @@ PHP NEWS
. Fixed bug #76113 (mbstring does not build with Oniguruma 6.8.1).
(chrullrich, cmb)
+- phpdbg:
+ . Fixed bug #76143 (Memory corruption: arbitrary NUL overwrite). (Laruence)
+
- SPL:
. Fixed bug #76131 (mismatch arginfo for splarray constructor).
(carusogabriel)
diff --git a/sapi/phpdbg/phpdbg_io.c b/sapi/phpdbg/phpdbg_io.c
index ee5a656b60..1bf7227b1f 100644
--- a/sapi/phpdbg/phpdbg_io.c
+++ b/sapi/phpdbg/phpdbg_io.c
@@ -290,7 +290,7 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short
}
}
- snprintf(port_buf, 7, "%u", port);
+ snprintf(port_buf, sizeof(port_buf), "%u", port);
if (!any_addr) {
rc = getaddrinfo(addr, port_buf, &hints, &res);
} else {
@@ -301,20 +301,18 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short
#ifndef PHP_WIN32
if (rc == EAI_SYSTEM) {
char buf[128];
- int wrote;
- wrote = snprintf(buf, 128, "Could not translate address '%s'", addr);
- buf[wrote] = '\0';
+ snprintf(buf, sizeof(buf), "Could not translate address '%s'", addr);
+
zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf));
return sock;
} else {
#endif
char buf[256];
- int wrote;
- wrote = snprintf(buf, 256, "Host '%s' not found. %s", addr, estrdup(gai_strerror(rc)));
- buf[wrote] = '\0';
+ snprintf(buf, sizeof(buf), "Host '%s' not found. %s", addr, estrdup(gai_strerror(rc)));
+
zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf));
return sock;
@@ -324,13 +322,10 @@ PHPDBG_API int phpdbg_create_listenable_socket(const char *addr, unsigned short
return sock;
}
- if((sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1) {
- char buf[128];
- int wrote;
+ if ((sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) == -1) {
+ const char *msg = "Unable to create socket";
- wrote = sprintf(buf, "Unable to create socket");
- buf[wrote] = '\0';
- zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, buf, strlen(buf));
+ zend_quiet_write(PHPDBG_G(io)[PHPDBG_STDERR].fd, msg, strlen(msg));
return sock;
}