[PHP-CVS] cvs: php-src /ext/wddx wddx.c /ext/wddx/tests bug34306.phpt

Wed, 31 Aug 2005 07:48:01 -0700 

sniper          Wed Aug 31 10:30:47 2005 EDT

  Added files:                 
    /php-src/ext/wddx/tests     bug34306.phpt 

  Modified files:              
    /php-src/ext/wddx   wddx.c 
  Log:
  - Fixed bug #34306 (wddx_serialize_value() crashes with long array keys)
  
http://cvs.php.net/diff.php/php-src/ext/wddx/wddx.c?r1=1.122&r2=1.123&ty=u
Index: php-src/ext/wddx/wddx.c
diff -u php-src/ext/wddx/wddx.c:1.122 php-src/ext/wddx/wddx.c:1.123
--- php-src/ext/wddx/wddx.c:1.122       Sun Aug 14 16:24:34 2005
+++ php-src/ext/wddx/wddx.c     Wed Aug 31 10:30:46 2005
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: wddx.c,v 1.122 2005/08/14 20:24:34 iliaa Exp $ */
+/* $Id: wddx.c,v 1.123 2005/08/31 14:30:46 sniper Exp $ */
 
 #include "php.h"
 
@@ -423,7 +423,7 @@
        tmp = *var;
        zval_copy_ctor(&tmp);
        convert_to_string(&tmp);
-       sprintf(tmp_buf, WDDX_NUMBER, Z_STRVAL(tmp));
+       snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp));
        zval_dtor(&tmp);
 
        php_wddx_add_chunk(packet, tmp_buf);    
@@ -618,15 +618,17 @@
  */
 void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int 
name_len TSRMLS_DC)
 {
-       char tmp_buf[WDDX_BUF_LEN];
+       char *tmp_buf;
        char *name_esc;
        int name_esc_len;
        HashTable *ht;
 
        if (name) {
                name_esc = php_escape_html_entities(name, name_len, 
&name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
-               sprintf(tmp_buf, WDDX_VAR_S, name_esc);
+               tmp_buf = emalloc(name_esc_len + 1);
+               snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc);
                php_wddx_add_chunk(packet, tmp_buf);
+               efree(tmp_buf);
                efree(name_esc);
        }
        

http://cvs.php.net/co.php/php-src/ext/wddx/tests/bug34306.phpt?r=1.1&p=1
Index: php-src/ext/wddx/tests/bug34306.phpt
+++ php-src/ext/wddx/tests/bug34306.phpt
--TEST--
#34306 (wddx_serialize_value() crashes with long array keys)
--FILE--
<?php

$var = 
array('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa12345678901234567890123456789012345678901234567890ba12345678901234567890123456789012345678901234567890ba12345678901234567890123456789012345678901234567890ba12345678901234567890123456789012345678901234567890b12345678901234567891234567890123123121231211111'
 => 1);
$buf = wddx_serialize_value($var, 'name');
echo "OK\n";

?>
--EXPECT--
OK

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to