georg Wed Dec 11 03:28:42 2002 EDT
Modified files:
/php4/ext/mysql/libmysql libmysql.c
Log:
Security fix (merged from 3.23.54)
Index: php4/ext/mysql/libmysql/libmysql.c
diff -u php4/ext/mysql/libmysql/libmysql.c:1.11 php4/ext/mysql/libmysql/libmysql.c:1.12
--- php4/ext/mysql/libmysql/libmysql.c:1.11 Tue Nov 12 18:34:06 2002
+++ php4/ext/mysql/libmysql/libmysql.c Wed Dec 11 03:28:41 2002
@@ -872,7 +872,7 @@
uint field,pkt_len;
ulong len;
uchar *cp;
- char *to;
+ char *to, *end_to;
MYSQL_DATA *result;
MYSQL_ROWS **prev_ptr,*cur;
NET *net = &mysql->net;
@@ -910,6 +910,7 @@
*prev_ptr=cur;
prev_ptr= &cur->next;
to= (char*) (cur->data+fields+1);
+ end_to = to + pkt_len - 1;
for (field=0 ; field < fields ; field++)
{
if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH)
@@ -919,6 +920,13 @@
else
{
cur->data[field] = to;
+ if (len > end_to - to)
+ {
+ free_rows(result);
+ net->last_errno = CR_UNKNOWN_ERROR;
+ strmov(net->last_error, ER(net->last_errno));
+ DBUG_RETURN(0);
+ }
memcpy(to,(char*) cp,len); to[len]=0;
to+=len+1;
cp+=len;
@@ -953,7 +961,7 @@
{
uint field;
ulong pkt_len,len;
- uchar *pos,*prev_pos;
+ uchar *pos,*prev_pos,*end_pos;
if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error)
return -1;
@@ -961,6 +969,7 @@
return 1; /* End of data */
prev_pos= 0; /* allowed to write at packet[-1] */
pos=mysql->net.read_pos;
+ end_pos=pos+pkt_len;
for (field=0 ; field < fields ; field++)
{
if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH)
@@ -970,6 +979,12 @@
}
else
{
+ if (len > end_pos - pos)
+ {
+ mysql->net.last_errno=CR_UNKNOWN_ERROR;
+ strmov(mysql->net.last_error, ER(mysql->net.last_errno));
+ return -1;
+ }
row[field] = (char*) pos;
pos+=len;
*lengths++=len;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
