diff options
| author | Torben Wilson <torben@php.net> | 2000-08-21 19:24:44 +0000 |
|---|---|---|
| committer | Torben Wilson <torben@php.net> | 2000-08-21 19:24:44 +0000 |
| commit | 410ac013e8524f6ee73ae50a257b3e45adbd0bc5 (patch) | |
| tree | d2f9c60e2e0f849336ffb7b3054414bd5517075a /ext/standard | |
| parent | b43df683ee6fe5299d013c81e9db9529ddf55dd5 (diff) | |
| download | php-git-410ac013e8524f6ee73ae50a257b3e45adbd0bc5.tar.gz | |
Fixed segfault with fgets(), fgetcsv(), fgetss(), and fread() when
called with negative length argument.
Diffstat (limited to 'ext/standard')
| -rw-r--r-- | ext/standard/file.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ext/standard/file.c b/ext/standard/file.c index 82ae4d2f4d..06932de961 100644 --- a/ext/standard/file.c +++ b/ext/standard/file.c @@ -969,6 +969,10 @@ PHP_FUNCTION(fgets) convert_to_long_ex(arg2); len = (*arg2)->value.lval; + if (len < 0) { + php_error(E_WARNING, "length parameter to fgets() may not be negative"); + RETURN_FALSE; + } if (type == le_socket) { issock=1; @@ -1078,6 +1082,10 @@ PHP_FUNCTION(fgetss) convert_to_long_ex(bytes); len = (*bytes)->value.lval; + if (len < 0) { + php_error(E_WARNING, "length parameter to fgetss() may not be negative"); + RETURN_FALSE; + } buf = emalloc(sizeof(char) * (len + 1)); /*needed because recv doesnt set null char at end*/ @@ -1798,6 +1806,10 @@ PHP_FUNCTION(fread) convert_to_long_ex(arg2); len = (*arg2)->value.lval; + if (len < 0) { + php_error(E_WARNING, "length parameter to fread() may not be negative"); + RETURN_FALSE; + } return_value->value.str.val = emalloc(sizeof(char) * (len + 1)); /* needed because recv doesnt put a null at the end*/ @@ -1867,6 +1879,10 @@ PHP_FUNCTION(fgetcsv) { convert_to_long_ex(bytes); len = (*bytes)->value.lval; + if (len < 0) { + php_error(E_WARNING, "length parameter to fgetcsv() may not be negative"); + RETURN_FALSE; + } buf = emalloc(sizeof(char) * (len + 1)); /*needed because recv doesnt set null char at end*/ |