iliaa Sat Dec 23 23:29:41 2006 UTC
Modified files:
/php-src/ext/zip php_zip.c zip_stream.c
Log:
MFB: safety checks
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.33&r2=1.34&diff_format=u
Index: php-src/ext/zip/php_zip.c
diff -u php-src/ext/zip/php_zip.c:1.33 php-src/ext/zip/php_zip.c:1.34
--- php-src/ext/zip/php_zip.c:1.33 Tue Dec 19 02:05:27 2006
+++ php-src/ext/zip/php_zip.c Sat Dec 23 23:29:41 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php_zip.c,v 1.33 2006/12/19 02:05:27 pajoye Exp $ */
+/* $Id: php_zip.c,v 1.34 2006/12/23 23:29:41 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -83,30 +83,29 @@
/* {{{ php_zip_extract_file */
/* TODO: Simplify it */
-static int php_zip_extract_file(struct zip * za, char *dest, char *file
TSRMLS_DC)
+static int php_zip_extract_file(struct zip * za, char *dest, char *file, int
file_len TSRMLS_DC)
{
php_stream_statbuf ssb;
struct zip_file *zf;
struct zip_stat sb;
char b[8192];
- int n, len, ret, file_len;
+ int n, len, ret;
php_stream *stream;
char *fullpath;
char *file_dirname_fullpath;
- char file_dirname[MAXPATHLEN + 1];
+ char file_dirname[MAXPATHLEN];
size_t dir_len;
char *file_basename;
size_t file_basename_len;
- if (zip_stat(za, file, 0, &sb)) {
+ if (file_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb)) {
return 0;
}
- file_len = strlen(file);
memcpy(file_dirname, file, file_len);
dir_len = php_dirname(file_dirname, file_len);
@@ -117,7 +116,7 @@
len = spprintf(&file_dirname_fullpath, 0, "%s", dest);
}
- php_basename(file, file_len, NULL, 0, &file_basename, (int
*)&file_basename_len TSRMLS_CC);
+ php_basename(file, file_len, NULL, 0, &file_basename,
&file_basename_len TSRMLS_CC);
/* let see if the path already exists */
if (php_stream_stat_path(file_dirname_fullpath, &ssb) < 0) {
@@ -876,7 +875,7 @@
int filename_len;
int err = 0;
long flags = 0;
- char resolved_path[MAXPATHLEN + 1];
+ char resolved_path[MAXPATHLEN];
zval *this = getThis();
ze_zip_object *ze_obj = NULL;
@@ -995,7 +994,7 @@
struct zip_source *zs;
long offset_start = 0, offset_len = 0;
int cur_idx, res;
- char resolved_path[MAXPATHLEN + 1];
+ char resolved_path[MAXPATHLEN];
if (!this) {
RETURN_FALSE;
@@ -1759,7 +1758,7 @@
RETURN_FALSE;
}
- if (!php_zip_extract_file(intern, pathto, file
TSRMLS_CC)) {
+ if (!php_zip_extract_file(intern, pathto, file,
file_len TSRMLS_CC)) {
efree(file);
RETURN_FALSE;
}
@@ -1789,7 +1788,7 @@
RETURN_FALSE;
}
- if
(!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) {
+ if
(!php_zip_extract_file(intern, pathto, file, file_len TSRMLS_CC)) {
efree(file);
RETURN_FALSE;
}
@@ -1814,7 +1813,7 @@
for (i = 0; i < filecount; i++) {
file = (char*)zip_get_name(intern, i, ZIP_FL_UNCHANGED);
- if (!php_zip_extract_file(intern, pathto, file TSRMLS_CC)) {
+ if (!php_zip_extract_file(intern, pathto, file, strlen(file)
TSRMLS_CC)) {
RETURN_FALSE;
}
}
@@ -1877,7 +1876,7 @@
RETURN_FALSE;
}
- buffer = safe_emalloc(len + 1, 1, 1);
+ buffer = safe_emalloc(len, 1, 2);
n = zip_fread(zf, buffer, len);
if (n < 1) {
RETURN_EMPTY_STRING();
@@ -2071,7 +2070,7 @@
php_info_print_table_start();
php_info_print_table_row(2, "Zip", "enabled");
- php_info_print_table_row(2, "Extension Version","$Id: php_zip.c,v 1.33
2006/12/19 02:05:27 pajoye Exp $");
+ php_info_print_table_row(2, "Extension Version","$Id: php_zip.c,v 1.34
2006/12/23 23:29:41 iliaa Exp $");
php_info_print_table_row(2, "Zip version", "2.0.0");
php_info_print_table_row(2, "Libzip version", "0.7.1");
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/zip_stream.c?r1=1.3&r2=1.4&diff_format=u
Index: php-src/ext/zip/zip_stream.c
diff -u php-src/ext/zip/zip_stream.c:1.3 php-src/ext/zip/zip_stream.c:1.4
--- php-src/ext/zip/zip_stream.c:1.3 Sun Nov 12 00:41:41 2006
+++ php-src/ext/zip/zip_stream.c Sat Dec 23 23:29:41 2006
@@ -1,4 +1,4 @@
-/* $Id: zip_stream.c,v 1.3 2006/11/12 00:41:41 nlopess Exp $ */
+/* $Id: zip_stream.c,v 1.4 2006/12/23 23:29:41 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
# include "config.h"
#endif
@@ -153,7 +153,7 @@
char *file_basename;
size_t file_basename_len;
- char file_dirname[MAXPATHLEN+1];
+ char file_dirname[MAXPATHLEN];
struct zip *za;
struct zip_file *zf = NULL;
@@ -179,15 +179,15 @@
return NULL;
}
path_len = strlen(path);
+ if (path_len >= MAXPATHLEN || mode[0] != 'r') {
+ return NULL;
+ }
memcpy(file_dirname, path, path_len - fragment_len);
file_dirname[path_len - fragment_len] = '\0';
php_basename(path, path_len - fragment_len, NULL, 0, &file_basename,
&file_basename_len TSRMLS_CC);
fragment++;
- if (mode[0] != 'r') {
- return NULL;
- }
za = zip_open(file_dirname, ZIP_CREATE, &err);
if (za) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
