[PHP-CVS] cvs: php-src(PHP_4_4) /ext/sysvmsg sysvmsg.c

[Ilia Alshanetsky]

iliaa           Sat Dec 23 18:56:42 2006 UTC

  Modified files:              (Branch: PHP_4_4)
    /php-src/ext/sysvmsg        sysvmsg.c 
  Log:
  MFB: Added checks for negative max length and overflow checks for
  overly long strings.
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/sysvmsg/sysvmsg.c?r1=1.4.2.5.2.3&r2=1.4.2.5.2.4&diff_format=u
Index: php-src/ext/sysvmsg/sysvmsg.c
diff -u php-src/ext/sysvmsg/sysvmsg.c:1.4.2.5.2.3 
php-src/ext/sysvmsg/sysvmsg.c:1.4.2.5.2.4
--- php-src/ext/sysvmsg/sysvmsg.c:1.4.2.5.2.3   Fri May 19 10:28:54 2006
+++ php-src/ext/sysvmsg/sysvmsg.c       Sat Dec 23 18:56:42 2006
@@ -15,7 +15,7 @@
    | Authors: Wez Furlong <[EMAIL PROTECTED]                           |
    +----------------------------------------------------------------------+
  */
-/* $Id: sysvmsg.c,v 1.4.2.5.2.3 2006/05/19 10:28:54 tony2001 Exp $ */
+/* $Id: sysvmsg.c,v 1.4.2.5.2.4 2006/12/23 18:56:42 iliaa Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -120,7 +120,7 @@
 {
        php_info_print_table_start();
        php_info_print_table_header(2, "sysvmsg support", "enabled");
-       php_info_print_table_row(2, "Revision", "$Revision: 1.4.2.5.2.3 $");
+       php_info_print_table_row(2, "Revision", "$Revision: 1.4.2.5.2.4 $");
        php_info_print_table_end();
 }
 /* }}} */
@@ -272,6 +272,11 @@
                                &out_message, &do_unserialize, &flags, 
&zerrcode) == FAILURE)
                return;
 
+       if (maxsize <= 0) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "maximum size of 
the message has to be greater then zero");
+               return;
+       }
+
        if (flags != 0) {
                if (flags & PHP_MSG_EXCEPT) {
 #ifndef MSG_EXCEPT
@@ -289,7 +294,7 @@
        
        ZEND_FETCH_RESOURCE(mq, sysvmsg_queue_t *, &queue, -1, "sysvmsg queue", 
le_sysvmsg);
 
-       messagebuffer = (struct php_msgbuf*)emalloc(sizeof(struct php_msgbuf) + 
maxsize);
+       messagebuffer = (struct php_msgbuf*)safe_emalloc(maxsize, 1, 
sizeof(struct php_msgbuf));
        
        result = msgrcv(mq->id, messagebuffer, maxsize, desiredmsgtype, 
realflags);
                
@@ -363,7 +368,7 @@
                
                /* NB: php_msgbuf is 1 char bigger than a long, so there is no 
need to
                 * allocate the extra byte. */
-               messagebuffer = emalloc(sizeof(struct php_msgbuf) + 
msg_var.len);
+               messagebuffer = safe_emalloc(msg_var.len, 1, sizeof(struct 
php_msgbuf));
                memcpy(messagebuffer->mtext, msg_var.c, msg_var.len + 1);
                message_len = msg_var.len;
                smart_str_free(&msg_var);
@@ -389,7 +394,7 @@
                                RETURN_FALSE;
                }
 
-               messagebuffer = emalloc(sizeof(struct php_msgbuf) + 
message_len);
+               messagebuffer = safe_emalloc(message_len, 1, sizeof(struct 
php_msgbuf));
                memcpy(messagebuffer->mtext, p, message_len + 1);
 
                if (Z_TYPE_P(message) != IS_STRING) {

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php