[PHP-CVS] cvs: php-src /ext/soap php_http.c

Thu, 08 Apr 2004 07:58:34 -0700 

sesser          Thu Apr  8 10:58:04 2004 EDT

  Modified files:              
    /php-src/ext/soap   php_http.c 
  Log:
  Fixed: possible remote overflow and possible efree(NULL) crash
  
  
  
http://cvs.php.net/diff.php/php-src/ext/soap/php_http.c?r1=1.49&r2=1.50&ty=u
Index: php-src/ext/soap/php_http.c
diff -u php-src/ext/soap/php_http.c:1.49 php-src/ext/soap/php_http.c:1.50
--- php-src/ext/soap/php_http.c:1.49    Fri Apr  2 10:43:41 2004
+++ php-src/ext/soap/php_http.c Thu Apr  8 10:58:04 2004
@@ -17,7 +17,7 @@
   |          Dmitry Stogov <[EMAIL PROTECTED]>                             |
   +----------------------------------------------------------------------+
 */
-/* $Id: php_http.c,v 1.49 2004/04/02 15:43:41 dmitry Exp $ */
+/* $Id: php_http.c,v 1.50 2004/04/08 14:58:04 sesser Exp $ */
 
 #include "php_soap.h"
 #include "ext/standard/base64.h"
@@ -869,6 +869,10 @@
                                if (buf_size > 0) {
                                        int len_size = 0;
 
+                                       if (http_buf_size + buf_size + 1 < 0) {
+                                               efree(http_buf);
+                                               return FALSE;
+                                       }
                                        http_buf = erealloc(http_buf, http_buf_size + 
buf_size + 1);
 
                                        while (len_size < buf_size) {
@@ -888,7 +892,9 @@
                                php_stream_getc(stream);
                        } else {
                                /* Somthing wrong in chunked encoding */
-                               efree(http_buf);
+                               if (http_buf) {
+                                       efree(http_buf);
+                               }
                                return FALSE;
                        }
                        if (buf_size == 0) {
@@ -901,14 +907,25 @@
                }
 
        } else if (header_length) {
+               if (header_length < 0) {
+                       return FALSE;
+               }
                http_buf = emalloc(header_length + 1);
                while (http_buf_size < header_length) {
-                       http_buf_size += php_stream_read(stream, http_buf + 
http_buf_size, header_length - http_buf_size);
+                       int len_read = php_stream_read(stream, http_buf + 
http_buf_size, header_length - http_buf_size);
+                       if (len_read <= 0) {
+                               break;
+                       }
+                       http_buf_size += len_read;
                }
        } else if (header_close) {
                do {
+                       int len_read;
                        http_buf = erealloc(http_buf, http_buf_size + 4096 + 1);
-                       http_buf_size += php_stream_read(stream, http_buf + 
http_buf_size, 4096);
+                       len_read = php_stream_read(stream, http_buf + http_buf_size, 
4096);
+                       if (len_read > 0) {
+                               http_buf_size += len_read;
+                       }
                } while(!php_stream_eof(stream));
        } else {
                return FALSE;

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to