iliaa Thu Dec 23 13:29:36 2004 EDT
Modified files: (Branch: PHP_4_3)
/php-src/ext/swf swf.c
Log:
Fixed potential buffer overflow inside swf_definepoly().
http://cvs.php.net/diff.php/php-src/ext/swf/swf.c?r1=1.46.2.3&r2=1.46.2.4&ty=u
Index: php-src/ext/swf/swf.c
diff -u php-src/ext/swf/swf.c:1.46.2.3 php-src/ext/swf/swf.c:1.46.2.4
--- php-src/ext/swf/swf.c:1.46.2.3 Thu Dec 23 13:04:10 2004
+++ php-src/ext/swf/swf.c Thu Dec 23 13:29:36 2004
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: swf.c,v 1.46.2.3 2004/12/23 18:04:10 iliaa Exp $ */
+/* $Id: swf.c,v 1.46.2.4 2004/12/23 18:29:36 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
@@ -611,8 +611,13 @@
convert_to_double_ex(width);
if (Z_TYPE_PP(coordinates) != IS_ARRAY) {
- return;
php_error(E_WARNING, "Wrong datatype of second argument to
swf_definepoly");
+ RETURN_FALSE;
+ }
+
+ if (Z_LVAL_PP(NumPoints) > 256) {
+ php_error(E_WARNING, "The npoints value cannot be larger then
256.");
+ RETURN_FALSE;
}
npoints = Z_LVAL_PP(NumPoints);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
