andrey Tue, 27 Apr 2010 08:02:08 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=298640
Log: Fixed possible buffer overflow in mysqlnd_conn__list_fields. Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c U php/php-src/trunk/ext/mysqlnd/mysqlnd.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-04-27 06:24:24 UTC (rev 298639) +++ php/php-src/branches/PHP_5_3/NEWS 2010-04-27 08:02:08 UTC (rev 298640) @@ -16,6 +16,7 @@ - Implemented FR#35638 (Adding udate to imap_fetch_overview results). (Charles_Duffy at dell dot com ) +- Fixed possible buffer overflow in mysqlnd_list_fields. (Andrey) - Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser (Ilia) Modified: php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c 2010-04-27 06:24:24 UTC (rev 298639) +++ php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c 2010-04-27 08:02:08 UTC (rev 298640) @@ -1074,14 +1074,16 @@ p = buff; if (table && (table_len = strlen(table))) { - memcpy(p, table, MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4)); - p += table_len; + size_t to_copy = MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4); + memcpy(p, table, to_copy); + p += to_copy; *p++ = '\0'; } if (achtung_wild && (wild_len = strlen(achtung_wild))) { - memcpy(p, achtung_wild, MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4)); - p += wild_len; + size_t to_copy = MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4); + memcpy(p, achtung_wild, to_copy); + p += to_copy; *p++ = '\0'; } Modified: php/php-src/trunk/ext/mysqlnd/mysqlnd.c =================================================================== --- php/php-src/trunk/ext/mysqlnd/mysqlnd.c 2010-04-27 06:24:24 UTC (rev 298639) +++ php/php-src/trunk/ext/mysqlnd/mysqlnd.c 2010-04-27 08:02:08 UTC (rev 298640) @@ -1074,14 +1074,16 @@ p = buff; if (table && (table_len = strlen(table))) { - memcpy(p, table, MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4)); - p += table_len; + size_t to_copy = MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4); + memcpy(p, table, to_copy); + p += to_copy; *p++ = '\0'; } if (achtung_wild && (wild_len = strlen(achtung_wild))) { - memcpy(p, achtung_wild, MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4)); - p += wild_len; + size_t to_copy = MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4); + memcpy(p, achtung_wild, to_copy); + p += to_copy; *p++ = '\0'; }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php