diff options
| author | Nikita Popov <nikita.ppv@gmail.com> | 2019-06-25 13:08:28 +0200 |
|---|---|---|
| committer | Nikita Popov <nikita.ppv@gmail.com> | 2019-06-25 14:28:58 +0200 |
| commit | 42b22d3a9418e948fddf896dbe37536c6cc12f43 (patch) | |
| tree | 44806f9f9add596e3b9571ed74b1c5381276dc33 /sapi/phpdbg/phpdbg_prompt.c | |
| parent | 8757f30cc7f857f9b619b2f8b2f2731507653846 (diff) | |
| download | php-git-42b22d3a9418e948fddf896dbe37536c6cc12f43.tar.gz | |
Fix out of bounds write in phpdbg
It seems that this code has a peculiar interpretation of "len",
where it actually points to the last character, not one past it.
So we need +1 here for that extra char and another +1 for the
terminating null byte.
Diffstat (limited to 'sapi/phpdbg/phpdbg_prompt.c')
| -rw-r--r-- | sapi/phpdbg/phpdbg_prompt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c index 248391b188..f2f20ae75b 100644 --- a/sapi/phpdbg/phpdbg_prompt.c +++ b/sapi/phpdbg/phpdbg_prompt.c @@ -838,7 +838,7 @@ PHPDBG_COMMAND(run) /* {{{ */ while (*p == ' ') p++; while (*p) { char sep = ' '; - char *buf = emalloc(end - p + 1), *q = buf; + char *buf = emalloc(end - p + 2), *q = buf; if (*p == '<') { /* use as STDIN */ |