Re: [PHP-CVS] cvs: php-src(PHP_4_4) /ext/wddx wddx.c

Fri, 19 May 2006 15:35:50 -0700 

Hello Antony,

   see inplace comments below

best regards
marcus

Friday, May 19, 2006, 12:37:32 PM, you wrote:

> tony2001                Fri May 19 10:37:32 2006 UTC

>   Modified files:              (Branch: PHP_4_4)
>     /php-src/ext/wddx   wddx.c 
>   Log:
>   MFH fix for #34306 (wddx_serialize_value() crashes with long array keys)
>   
>   
> http://cvs.php.net/viewcvs.cgi/php-src/ext/wddx/wddx.c?r1=1.96.2.6.2.4&r2=1.96.2.6.2.5&diff_format=u
> Index: php-src/ext/wddx/wddx.c
> diff -u php-src/ext/wddx/wddx.c:1.96.2.6.2.4 
> php-src/ext/wddx/wddx.c:1.96.2.6.2.5
> --- php-src/ext/wddx/wddx.c:1.96.2.6.2.4        Sun Apr 23 16:02:37 2006
> +++ php-src/ext/wddx/wddx.c     Fri May 19 10:37:32 2006
> @@ -16,7 +16,7 @@
>     +----------------------------------------------------------------------+
>   */
>  
> -/* $Id: wddx.c,v 1.96.2.6.2.4 2006/04/23 16:02:37 iliaa Exp $ */
> +/* $Id: wddx.c,v 1.96.2.6.2.5 2006/05/19 10:37:32 tony2001 Exp $ */
>  
>  #ifdef HAVE_CONFIG_H
>  #include "config.h"
> @@ -432,7 +432,7 @@
>         tmp = *var;
>         zval_copy_ctor(&tmp);
>         convert_to_string(&tmp);
> -       sprintf(tmp_buf, WDDX_NUMBER, Z_STRVAL(tmp));
> +       snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp));


*** This should most likely read sizeof(tmp_buf) ***

>         zval_dtor(&tmp);
>  
>         php_wddx_add_chunk(packet, tmp_buf);    
> @@ -624,17 +624,19 @@
>   */
>  void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int 
> name_len TSRMLS_DC)
>  {
> -       char tmp_buf[WDDX_BUF_LEN];
> +       char *tmp_buf;
>         char *name_esc;
>         int name_esc_len;
>  
>         if (name) {
>                 name_esc = php_escape_html_entities(name, name_len,
> &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
> -               sprintf(tmp_buf, WDDX_VAR_S, name_esc);
> +               tmp_buf = emalloc(name_esc_len + 1);
> +               snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc);

*** This should also most likely be sizeof(tmp_buf) ***

>                 php_wddx_add_chunk(packet, tmp_buf);
> +               efree(tmp_buf);
>                 efree(name_esc);
>         }
> -       
> +
>         switch(Z_TYPE_P(var)) {
>                 case IS_STRING:
>                         php_wddx_serialize_string(packet, var);




Best regards,
 Marcus

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to