From 1379ad02e36d4e242338628ce44f89f92b455101 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Sat, 23 Dec 2006 18:50:33 +0000 Subject: Added checks for negative max length and overflow checks for overly long strings. --- ext/sysvmsg/sysvmsg.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) (limited to 'ext/sysvmsg') diff --git a/ext/sysvmsg/sysvmsg.c b/ext/sysvmsg/sysvmsg.c index f4882f3a83..18c822cc09 100644 --- a/ext/sysvmsg/sysvmsg.c +++ b/ext/sysvmsg/sysvmsg.c @@ -294,7 +294,12 @@ PHP_FUNCTION(msg_receive) &out_message, &do_unserialize, &flags, &zerrcode) == FAILURE) { return; } - + + if (maxsize <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "maximum size of the message has to be greater then zero"); + return; + } + if (flags != 0) { if (flags & PHP_MSG_EXCEPT) { #ifndef MSG_EXCEPT @@ -314,8 +319,8 @@ PHP_FUNCTION(msg_receive) ZEND_FETCH_RESOURCE(mq, sysvmsg_queue_t *, &queue, -1, "sysvmsg queue", le_sysvmsg); - messagebuffer = (struct php_msgbuf *) emalloc(sizeof(struct php_msgbuf) + maxsize); - + messagebuffer = (struct php_msgbuf *) safe_emalloc(maxsize, 1, sizeof(struct php_msgbuf)); + result = msgrcv(mq->id, messagebuffer, maxsize, desiredmsgtype, realflags); zval_dtor(out_msgtype); @@ -389,7 +394,7 @@ PHP_FUNCTION(msg_send) /* NB: php_msgbuf is 1 char bigger than a long, so there is no need to * allocate the extra byte. */ - messagebuffer = emalloc(sizeof(struct php_msgbuf) + msg_var.len); + messagebuffer = safe_emalloc(msg_var.len, 1, sizeof(struct php_msgbuf)); memcpy(messagebuffer->mtext, msg_var.c, msg_var.len + 1); message_len = msg_var.len; smart_str_free(&msg_var); @@ -415,7 +420,7 @@ PHP_FUNCTION(msg_send) RETURN_FALSE; } - messagebuffer = emalloc(sizeof(struct php_msgbuf) + message_len); + messagebuffer = safe_emalloc(message_len, 1, sizeof(struct php_msgbuf)); memcpy(messagebuffer->mtext, p, message_len + 1); if (Z_TYPE_P(message) != IS_STRING) { -- cgit v1.2.1