Why didn't you MFH the other changes too..? (The ZLIB stuff)
--Jani
On Mon, 10 Feb 2003, Moriyoshi Koizumi wrote:
>moriyoshi Mon Feb 10 15:13:36 2003 EDT
>
> Modified files: (Branch: PHP_4_3)
> /php4/main SAPI.c
> Log:
> MFH: fixed possible buffer overflow in 64bit systems
>
>
>Index: php4/main/SAPI.c
>diff -u php4/main/SAPI.c:1.155.2.6 php4/main/SAPI.c:1.155.2.7
>--- php4/main/SAPI.c:1.155.2.6 Sun Feb 9 16:28:49 2003
>+++ php4/main/SAPI.c Mon Feb 10 15:13:36 2003
>@@ -18,7 +18,7 @@
> +----------------------------------------------------------------------+
> */
>
>-/* $Id: SAPI.c,v 1.155.2.6 2003/02/09 21:28:49 sas Exp $ */
>+/* $Id: SAPI.c,v 1.155.2.7 2003/02/10 20:13:36 moriyoshi Exp $ */
>
> #include <ctype.h>
> #include <sys/stat.h>
>@@ -619,14 +619,18 @@
>
> 0, &result_len, -1 TSRMLS_CC);
> if(result_len==ptr_len) {
> char *lower_temp =
>estrdup(ptr);
>- char conv_temp[32];
>+ char conv_temp[64];
> int conv_len;
>
>
>php_strtolower(lower_temp,strlen(lower_temp));
> /* If there is no realm string
>at all, append one */
>
>if(!strstr(lower_temp,"realm")) {
> efree(result);
>- conv_len =
>sprintf(conv_temp," realm=\"%ld\"",myuid);
>+ conv_len =
>snprintf(conv_temp, sizeof(conv_temp), " realm=\"%ld\"",myuid);
>+ /* some broken
>snprintf() impls may return a negative value on failure */
>+ if (conv_len < 0) {
>+ conv_len = 0;
>+ }
> result =
>emalloc(ptr_len+conv_len+1);
> result_len =
>ptr_len+conv_len;
> memcpy(result, ptr,
>ptr_len);
>
>
>
>
--
<- For Sale! ->
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
