dmitry Mon Jun 23 11:37:50 2008 UTC Modified files: (Branch: PHP_5_3) /php-src/sapi/cgi cgi_main.c Log: Fixed possible buffer overflow http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.18&r2=1.267.2.15.2.50.2.19&diff_format=u Index: php-src/sapi/cgi/cgi_main.c diff -u php-src/sapi/cgi/cgi_main.c:1.267.2.15.2.50.2.18 php-src/sapi/cgi/cgi_main.c:1.267.2.15.2.50.2.19 --- php-src/sapi/cgi/cgi_main.c:1.267.2.15.2.50.2.18 Tue Apr 15 11:31:58 2008 +++ php-src/sapi/cgi/cgi_main.c Mon Jun 23 11:37:50 2008 @@ -21,7 +21,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: cgi_main.c,v 1.267.2.15.2.50.2.18 2008/04/15 11:31:58 dmitry Exp $ */ +/* $Id: cgi_main.c,v 1.267.2.15.2.50.2.19 2008/06/23 11:37:50 dmitry Exp $ */ #include "php.h" #include "php_globals.h" @@ -723,12 +723,16 @@ (PG(user_ini_filename) && *PG(user_ini_filename))) { /* Prepare search path */ path_len = strlen(SG(request_info).path_translated); - path = estrndup(SG(request_info).path_translated, path_len); - path_len = zend_dirname(path, path_len); /* Make sure we have trailing slash! */ - if (!IS_SLASH(path[path_len])) { + if (!IS_SLASH(SG(request_info).path_translated[path_len])) { + path = emalloc(path_len + 2); + memcpy(path, SG(request_info).path_translated, path_len + 1); + path_len = zend_dirname(path, path_len); path[path_len++] = DEFAULT_SLASH; + } else { + path = estrndup(SG(request_info).path_translated, path_len); + path_len = zend_dirname(path, path_len); } path[path_len] = 0;
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php