From c11e307ae0784f2343b40173808e1b62e1ab81ef Mon Sep 17 00:00:00 2001 From: Felipe Pena Date: Sat, 7 May 2011 01:58:26 +0000 Subject: - Fixed bug #54681 (addGlob() crashes on invalid flags) --- ext/zip/php_zip.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) (limited to 'ext/zip') diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 078a9bc091..7f516c2872 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -494,6 +494,28 @@ static char * php_zipobj_get_zip_comment(struct zip *za, int *len TSRMLS_DC) /* #else #define GLOB_FLAGMASK (~0) #endif +#ifndef GLOB_BRACE +# define GLOB_BRACE 0 +#endif +#ifndef GLOB_MARK +# define GLOB_MARK 0 +#endif +#ifndef GLOB_NOSORT +# define GLOB_NOSORT 0 +#endif +#ifndef GLOB_NOCHECK +# define GLOB_NOCHECK 0 +#endif +#ifndef GLOB_NOESCAPE +# define GLOB_NOESCAPE 0 +#endif +#ifndef GLOB_ERR +# define GLOB_ERR 0 +#endif + +/* This is used for checking validity of passed flags (passing invalid flags causes segfault in glob()!! */ +#define GLOB_AVAILABLE_FLAGS (0 | GLOB_BRACE | GLOB_MARK | GLOB_NOSORT | GLOB_NOCHECK | GLOB_NOESCAPE | GLOB_ERR | GLOB_ONLYDIR) + #endif /* }}} */ int php_zip_glob(char *pattern, int pattern_len, long flags, zval *return_value TSRMLS_DC) /* {{{ */ @@ -508,6 +530,16 @@ int php_zip_glob(char *pattern, int pattern_len, long flags, zval *return_value glob_t globbuf; int n; int ret; + + if (pattern_len >= MAXPATHLEN) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN); + return -1; + } + + if ((GLOB_AVAILABLE_FLAGS & flags) != flags) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform"); + return -1; + } #ifdef ZTS if (!IS_ABSOLUTE_PATH(pattern, pattern_len)) { -- cgit v1.2.1