sockets sockets.c

Ilia Alshanetsky Wed, 25 Feb 2004 14:12:04 -0800

iliaa           Wed Feb 25 17:12:04 2004 EDT

  Modified files:              (Branch: PHP_4_3)
    /php-src    NEWS 
    /php-src/ext/sockets        sockets.c 
  Log:
  MFH:
        Fixed bug #21760 (Use of uninitialized pointer inside php_read()).
        Fixed 3 possible crashes due to integer overflow or invalid user input
        inside the sockets extension.
  
  
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1247.2.578&r2=1.1247.2.579&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.578 php-src/NEWS:1.1247.2.579
--- php-src/NEWS:1.1247.2.578   Wed Feb 25 07:36:23 2004
+++ php-src/NEWS        Wed Feb 25 17:12:02 2004
@@ -1,6 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Feb 2004, Version 4.3.5
+- Fixed possible crashes inside socket extension, due to missing check inside
+  allocation functions. (Ilia)
 - Fixed bug #27384 (unpack() misbehaves with 1 char string). (GeorgeS)
 - Fixed bug #27383 (Potential crash inside fopen_wrapper, while parsing
   response code). (Ilia)
@@ -16,6 +18,8 @@
   (Jani, Markus dot Lidel at shadowconnect dot com)
 - Fixed bug #26005 (Random "cannot change the session ini settings" errors).
   (Jani, jsnajdr at kerio dot com)
+- Fixed bug #21760 (Use of uninitialized pointer inside php_read()). (Ilia, 
+  uce at ftc dot gov)
 
 16 Feb 2004, Version 4.3.5RC3
 - Fixed zero bytes memory allocation when no extra ini files are found in the
http://cvs.php.net/diff.php/php-src/ext/sockets/sockets.c?r1=1.125.2.19&r2=1.125.2.20&ty=u
Index: php-src/ext/sockets/sockets.c
diff -u php-src/ext/sockets/sockets.c:1.125.2.19 
php-src/ext/sockets/sockets.c:1.125.2.20
--- php-src/ext/sockets/sockets.c:1.125.2.19    Thu Aug 28 16:01:30 2003
+++ php-src/ext/sockets/sockets.c       Wed Feb 25 17:12:03 2004
@@ -19,7 +19,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: sockets.c,v 1.125.2.19 2003/08/28 20:01:30 iliaa Exp $ */
+/* $Id: sockets.c,v 1.125.2.20 2004/02/25 22:12:03 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -294,6 +294,7 @@
 
        set_errno(0);
 
+       *t = '\0';
        while (*t != '\n' && *t != '\r' && n < maxlen) {
                if (m > 0) {
                        t++;
@@ -808,7 +809,10 @@
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|l", &arg1, &length, 
&type) == FAILURE)
                return;
 
-       if(length<0) RETURN_FALSE;
+       /* overflow check */
+       if((length + 1) < 2) {
+               RETURN_FALSE;
+       }
        tmpbuf = emalloc(length + 1);
        
        ZEND_FETCH_RESOURCE(php_sock, php_socket *, &arg1, -1, le_socket_name, 
le_socket);
@@ -1372,6 +1376,11 @@
 
        ZEND_FETCH_RESOURCE(php_sock, php_socket *, &php_sock_res, -1, le_socket_name, 
le_socket);
 
+       /* overflow check */
+       if ((len + 1) < 2) {
+               RETURN_FALSE;
+       }
+
        recv_buf = emalloc(len + 1);
        memset(recv_buf, 0, len + 1);
 
@@ -1446,6 +1455,11 @@
 
        if(arg3<0) RETURN_FALSE;
 
+       /* overflow check */
+       if ((arg3 + 2) < 3) {
+               RETURN_FALSE;
+       }
+
        recv_buf = emalloc(arg3 + 2);
        memset(recv_buf, 0, arg3 + 2);


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_4_3) / NEWS /ext/sockets sockets.c

Reply via email to