sesser Thu Apr 8 10:58:04 2004 EDT Modified files: /php-src/ext/soap php_http.c Log: Fixed: possible remote overflow and possible efree(NULL) crash http://cvs.php.net/diff.php/php-src/ext/soap/php_http.c?r1=1.49&r2=1.50&ty=u Index: php-src/ext/soap/php_http.c diff -u php-src/ext/soap/php_http.c:1.49 php-src/ext/soap/php_http.c:1.50 --- php-src/ext/soap/php_http.c:1.49 Fri Apr 2 10:43:41 2004 +++ php-src/ext/soap/php_http.c Thu Apr 8 10:58:04 2004 @@ -17,7 +17,7 @@ | Dmitry Stogov <[EMAIL PROTECTED]> | +----------------------------------------------------------------------+ */ -/* $Id: php_http.c,v 1.49 2004/04/02 15:43:41 dmitry Exp $ */ +/* $Id: php_http.c,v 1.50 2004/04/08 14:58:04 sesser Exp $ */ #include "php_soap.h" #include "ext/standard/base64.h" @@ -869,6 +869,10 @@ if (buf_size > 0) { int len_size = 0; + if (http_buf_size + buf_size + 1 < 0) { + efree(http_buf); + return FALSE; + } http_buf = erealloc(http_buf, http_buf_size + buf_size + 1); while (len_size < buf_size) { @@ -888,7 +892,9 @@ php_stream_getc(stream); } else { /* Somthing wrong in chunked encoding */ - efree(http_buf); + if (http_buf) { + efree(http_buf); + } return FALSE; } if (buf_size == 0) { @@ -901,14 +907,25 @@ } } else if (header_length) { + if (header_length < 0) { + return FALSE; + } http_buf = emalloc(header_length + 1); while (http_buf_size < header_length) { - http_buf_size += php_stream_read(stream, http_buf + http_buf_size, header_length - http_buf_size); + int len_read = php_stream_read(stream, http_buf + http_buf_size, header_length - http_buf_size); + if (len_read <= 0) { + break; + } + http_buf_size += len_read; } } else if (header_close) { do { + int len_read; http_buf = erealloc(http_buf, http_buf_size + 4096 + 1); - http_buf_size += php_stream_read(stream, http_buf + http_buf_size, 4096); + len_read = php_stream_read(stream, http_buf + http_buf_size, 4096); + if (len_read > 0) { + http_buf_size += len_read; + } } while(!php_stream_eof(stream)); } else { return FALSE;
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php