1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
Backported from 5.6.27 by Remi.
From da7e89cde880c66887caacd0a3eae7ecdacf9b2a Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 28 Sep 2016 23:30:48 -0700
Subject: [PATCH] Fix bug #73189 - Memcpy negative size parameter
php_resolve_path
---
main/fopen_wrappers.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index 74a493b..af9c558 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -211,7 +211,7 @@ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path
if (path_len > 1 && path_tmp[path_len - 2] == ':') {
if (path_len != 3) {
return -1;
- }
+ }
/* this is c:\ */
path_tmp[path_len] = '\0';
} else {
@@ -401,7 +401,7 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle TSRMLS_DC)
spprintf(&filename, 0, "%s%c%s%c%s", pw->pw_dir, PHP_DIR_SEPARATOR, PG(user_dir), PHP_DIR_SEPARATOR, s + 1); /* Safe */
} else {
filename = SG(request_info).path_translated;
- }
+ }
#if defined(ZTS) && defined(HAVE_GETPWNAM_R) && defined(_SC_GETPW_R_SIZE_MAX)
efree(pwbuf);
#endif
@@ -494,8 +494,8 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
return NULL;
}
- if ((*filename == '.' &&
- (IS_SLASH(filename[1]) ||
+ if ((*filename == '.' &&
+ (IS_SLASH(filename[1]) ||
((filename[1] == '.') && IS_SLASH(filename[2])))) ||
IS_ABSOLUTE_PATH(filename, filename_length) ||
!path ||
@@ -522,7 +522,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
}
end = strchr(p, DEFAULT_DIR_SEPARATOR);
if (end) {
- if ((end-ptr) + 1 + filename_length + 1 >= MAXPATHLEN) {
+ if (filename_length > (MAXPATHLEN - 2) || (end-ptr) > MAXPATHLEN || (end-ptr) + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
ptr = end + 1;
continue;
}
@@ -531,9 +531,9 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
memcpy(trypath+(end-ptr)+1, filename, filename_length+1);
ptr = end+1;
} else {
- int len = strlen(ptr);
+ size_t len = strlen(ptr);
- if (len + 1 + filename_length + 1 >= MAXPATHLEN) {
+ if (filename_length > (MAXPATHLEN - 2) || len > MAXPATHLEN || (size_t)len + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
break;
}
memcpy(trypath, ptr, len);
@@ -571,6 +571,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
while ((--exec_fname_length >= 0) && !IS_SLASH(exec_fname[exec_fname_length]));
if (exec_fname && exec_fname[0] != '[' &&
exec_fname_length > 0 &&
+ filename_length < (MAXPATHLEN - 2) &&
exec_fname_length + 1 + filename_length + 1 < MAXPATHLEN) {
memcpy(trypath, exec_fname, exec_fname_length + 1);
memcpy(trypath+exec_fname_length + 1, filename, filename_length+1);
--
2.1.4
|
