From dad793630d5966a9c22f3fcd7f24b7937bd1a36f Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 6 Sep 2016 12:05:22 +0200 Subject: Fix #73025: Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c `command_length` is retrieved via strlen() and later passed to emalloc() and memcpy(), so the appropriate type is `size_t`. We don't add a regression test, because that would need to allocate a string of at least 2 GiB. --- Zend/zend_virtual_cwd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Zend/zend_virtual_cwd.c') diff --git a/Zend/zend_virtual_cwd.c b/Zend/zend_virtual_cwd.c index 5a5bccecab..875c8da41c 100644 --- a/Zend/zend_virtual_cwd.c +++ b/Zend/zend_virtual_cwd.c @@ -1896,7 +1896,7 @@ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* #else /* Unix */ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* {{{ */ { - int command_length; + size_t command_length; int dir_length, extra = 0; char *command_line; char *ptr, *dir; -- cgit v1.2.1