- fix #44683, popen crashes when an invalid mode is passed (works on 2k8/vista/win7)

1 files changed, 22 insertions, 3 deletions

diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
index bfaac2e446..b2e94d22af 100644
--- a/TSRM/tsrm_win32.c
+++ b/TSRM/tsrm_win32.c
@@ -305,7 +305,7 @@ TSRM_API FILE *popen(const char *command, const char *type)
 TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd, char *env)
 {
 	FILE *stream = NULL;
-	int fno, str_len = strlen(type), read, mode;
+	int fno, type_len = strlen(type), read, mode;
 	STARTUPINFO startup;
 	PROCESS_INFORMATION process;
 	SECURITY_ATTRIBUTES security;
@@ -313,13 +313,32 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd,
 	DWORD dwCreateFlags = 0;
 	process_pair *proc;
 	char *cmd;
+	int i;
+	char *ptype = (char *)type;
 	TSRMLS_FETCH();
 
+	if (!type) {
+		return NULL;
+	}
+
+	/*The following two checks can be removed once we drop XP support */
+	type_len = strlen(type);
+	if (type_len <1 || type_len > 2) {
+		return NULL;
+	}
+
+	for (i=0; i < type_len; i++) {
+		if (!(*ptype == 'r' || *ptype == 'w' || *ptype == 'b' || *ptype == 't')) {
+			return NULL;
+		}
+		ptype++;
+	}
+
 	security.nLength				= sizeof(SECURITY_ATTRIBUTES);
 	security.bInheritHandle			= TRUE;
 	security.lpSecurityDescriptor	= NULL;
 
-	if (!str_len || !CreatePipe(&in, &out, &security, 2048L)) {
+	if (!type_len || !CreatePipe(&in, &out, &security, 2048L)) {
 		return NULL;
 	}
 
@@ -331,7 +350,7 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd,
 	startup.hStdError	= GetStdHandle(STD_ERROR_HANDLE);
 
 	read = (type[0] == 'r') ? TRUE : FALSE;
-	mode = ((str_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT;
+	mode = ((type_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT;
 
 	if (read) {
 		in = dupHandle(in, FALSE);